Method and apparatus for establishing a security policy, and method and apparatus for supporting establishment of security policy

ABSTRACT

There are provided a method of efficiently establishing a security policy and an apparatus for supporting preparation of a security policy. According to a method of establishing a security policy in six steps, a simple security policy draft is first prepared. The security policy draft is adjusted so as to match realities of an organization, as required, thus completing a security policy stepwise. Therefore, a security policy can be established in consideration of a schedule or budget of the organization.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention relates to establishment of a so-called securitypolicy. More particularly, the present invention relates to a method andapparatus which enable immediate establishment of a security policysuitable for an individual organization, as well as to a method andapparatus for supporting establishment of a security policy.

2. Background Art

In association with development of information technology, theimportance of information security increases. Every organization takesvarious measures for protecting internal information.

For example, a firewall is set at an interface for establishingconnection with an external network, thereby preventing unauthorizedintrusion of the outsider into an internal network of the organization,or unauthorized access to internal information.

In order to combat computer viruses or the like, virus detection/combatsoftware is employed for monitoring computers disposed in theorganization. Throughout the specification, the expression“organization” signifies an enterprise, a federal or municipal agency, acorporation such as a legally-incorporated foundation, or any otherparty or organized group.

As mentioned above, various measures have hitherto been taken forensuring information security.

If such measures are independently or separately discussed or reviewed,ensuring the security level of the entire organization becomesdifficult.

For instance, no matter how well a firewall is enhanced, if thirdparties can freely enter the organization's building and have anopportunity to operate a terminal, the security level of the entireorganization is considerably deteriorated.

Even if virus detection software is used, if updating of software foropposing new viruses is neglected, the software cannot combat newlycreated computer viruses.

In order to enhance the information security level of the entireorganization, there must be devised a method for designing andimplementing information security of the entire organization. Such adesigning and implementation method (or a group of designing andimplementation methods) is generally called a security policy.

Various proposals concerning basic headings and contents forestablishing a standard security policy have already been put forward asinternational guidelines. As a matter of course, the headings andcontents must be individually tailored to the organization.

Therefore, there still remains a necessity for establishing a securitypolicy on a per-organization basis; security policies cannot bemass-produced. Thus, establishment of an individual security policyinvolves consumption of much time and effort.

Further, contents of a security policy must be changed with elapse oftime. For instance, in a case where a corporate organizational structurehas been changed, usage value and risk assessment of existinginformation must be changed correspondingly.

A common method concerning establishment of a security policy and makingperiodic amendments to the security policy has not been known. For thisreason, individual systems engineer has had to establish or amend asecurity policy through experience and guess work. As a result,establishment of or making amendments to a security policy consumes anenormous amount of manpower. It is assumed that amendments may fail tocatch up with a change in the actual circumstances (hereinafter called“reality”) of an organization.

It has often bee seen that a wide difference arises between a securitypolicy and the reality of an organization, thereby imposing difficultyin establishing and sustaining enhanced information security.

The present invention has been conceived in light of the foregoingdrawbacks of the background art and is aimed at providing a method ofefficiently establishing a security policy, as well as an apparatus forsupporting establishment of a security policy.

SUMMARY OF THE INVENTION

To this end, the present invention provides a method of establishing asecurity policy for a predetermined organization, the method comprising:

a draft preparation step of preparing a security policy draft;

an analysis step of examining a difference between the security policydraft and realities of the organization; and

an adjustment step of adjusting the security policy draft on the basisof the difference or adjusting operation rules of an actual informationsystem belonging to the organization on the basis of the difference.

By means of such a configuration, a security policy can be establishedstepwise, thereby enabling efficient establishment of a security policy.

Preferably, the draft preparation step comprises: a preparation step ofpreparing inquiries to be submitted to members of an organization;

an inquiry step of submitting the prepared inquiries to the members;

an answer acquisition step of acquiring from the members answers to theinquiries; and

a drafting step of preparing a security policy draft on the basis of theanswers.

By means of such a configuration, a security policy draft can beprepared on the basis of inquiries.

Preferably, the preparation step involves preparation of inquiries onthe basis of job specifications of members to be inquired.

Since inquiries are prepared according to a job specification of anmember to be inquired, inquiries can be submitted efficiently.

Preferably, the answer acquisition step includes at least one of thesteps of:

integrating the answers acquired from a single member from among theacquired answers and storing the integrated answers into storage meansas answers of a single member to be inquired;

re-submitting inquiries to members if contradictory answers are includedin the answers, to thereby resolve contradiction, and storing theanswers into the storage means; and

assigning weights to answers according to job specifications of themembers to be inquired if contradictory answers are included in theanswers, to thereby estimate answers and display the estimated answers.

Such a configuration enables integration of answers in a case where aplurality of inquirers separately submit inquiries to members to beinquired.

Preferably, the analysis step comprises at least one of:

a contradiction inspection step of inspecting whether or notcontradictory answers are included in the answers;

a first difference detection step of inspecting a difference between aninformation system virtually designed on the basis of the answers andthe security policy by means of comparison; and

a second difference detection step of verifying the virtually-designedinformation system by means of examination of a real information systemand inspecting a difference between the verified information system andthe security policy draft by means of comparison.

Such a configuration enables finding of contradiction between answersand detection of a difference between a real information system and asecurity policy.

Preferably, the method of establishing a security policy furthercomprises a measurement step of devising measures addressing theinspected difference, in conjunction with the priority of the measures.

Such a configuration enables devising of measures with assignedpriorities.

Preferably, the method of establishing a security policy furthercomprises a diagnosis step of diagnosing the security state of theorganization, wherein a result of diagnosis performed in the diagnosisstep is submitted to the organization, wherewith the organization can become conscious of a necessity for a security policy.

Such a configuration enables ascertainment of security status of theorganization.

Preferably, the method of establishing a security policy furthercomprises a priority planning step of planning, in sequence of priority,implementation with priority of the security measures which have beendevised, thereby embodying a budget of the organization.

Such a configuration enables implementation of security measures in apremeditated manner, thereby facilitating preparation of a budget.

Preferably, the security measures comprise constructing a system formanaging the establishing a security policy;

introduction of a security system;

training for compelling members respect a security policy;

analysis of system logs;

monitoring of a network;

auditing operations on the basis of the security policy; and

reviewing the security policy.

Since the security measures involve training of members as well asintroduction of information security equipment, thereby enablingattainment of a higher degree of information security.

Preferably, the method of establishing a security policy furthercomprises a security enhancement measures implementation step ofimplementing the security measures in accordance with the plan.

Such a configuration enables smooth implementation of security measures.

The present invention also provides a method of establishing a securitypolicy comprising:

a preparation step of preparing inquiries to be submitted to members ofan organization;

an inquiry step of submitting the prepared inquiries to the members;

an answer acquisition step of acquiring from the members answers to theinquiries; and

an establishment step of establishing a security policy on the basis ofthe answers.

By means of such a configuration, a security policy draft can beprepared on the basis of inquiries.

Preferably, the preparation step involves preparation of inquiries onthe basis of job specifications of members to be inquired.

Since inquiries are prepared according to a job specification of anmember to be inquired, inquiries can be submitted efficiently.

Preferably, the answer acquisition step includes at least one of thesteps of:

integrating the answers acquired from a single member from among theacquired answers and storing the integrated answers into storage meansas answers of a single member to be inquired;

re-submitting inquiries to members if contradictory answers are includedin the answers, to thereby resolve contradiction, and storing theanswers into the storage means; and

assigning weights to answers according to job specifications of themembers to be inquired if contradictory answers are included in theanswers, to thereby estimate answers and display the estimated answers.

Such a configuration enables integration of answers in a case where aplurality of inquirers separately submit inquiries to members to beinquired.

Preferably, the establishment step involves establishment of threelevels of security policies; namely,

an executive-level security policy which describes the organization'sconcept and policy concerning information security in conformity withglobal guidelines;

a corporate-level security policy which describes an informationsecurity system embodying the executive-level security policy; and

a product-level security policy which describes measures to implementthe executive-level security policy with reference to thecorporate-level security policy.

Since three levels of security policies are established, a hierarchicalsecurity policy can be obtained. Here, the measures to implement theexecutive-level security policy with reference to the corporate-levelsecurity policy includes operation rules for utilizing the securitypolicies, as well as hardware and software.

Preferably, the corporate-level security policy describes standards forthe information security system of the overall organization; andstandards for individual equipments constituting the informationsecurity system of the organization.

Such a configuration clarifies a security policy for the entireorganization and a security policy for individual pieces of equipment.Here, equipment is a concept including networks, hosts, andapplications.

Preferably, the product-level security policy includes two types ofproduct-level policies; namely,

a first-level security policy describing settings of individualequipments constituting the information security system in naturallanguage; and

a second-level security policy describing settings of individualequipments constituting the information security system in specificlanguage used in specific equipments.

The first-level product-level security policy enables a human tounderstand a security policy. The second-level product-level securitypolicy facilitates setting of individual equipment. Here, equipmentincludes both hardware and software constituting the informationsecurity system.

Preferably, the analysis step comprises

a contradiction inspection step of inspecting whether or notcontradictory answers are included in the answers; and

a difference detection step of inspecting whether or there is adifference between an information system virtually designed on the basisof the answers and a real information system of the organization.

Such a configuration enables efficient detection of contradiction ordifference.

Preferably, the method of establishing a security policy furthercomprises a measurement step of devising measures addressing theinspected difference, in conjunction with the priority of the measures.

Since measures are devised in conjunction with priorities thereof,planning for implementing information security is facilitated.

The present invention also provides an apparatus of establishing asecurity policy comprising:

inquiry preparation means of preparing inquiries to be submitted tomembers of an organization;

storage means for storing answers to the inquiries;

answer archival storage means for acquiring from the members the answersto the inquiries and storing the answers into the storage means; and

establishment means for establishing a security policy on the basis ofthe answers stored in the storage means.

Since inquiries to be submitted to members are prepared, inquiryoperations are facilitated. Here, the expression “member” signifies anyindividual associated with an information system of the organization.Therefore, members include part-time employees and employees ofaffiliated corporations, as well as employees of an organization ofinterest.

Preferably, the inquiry preparation means prepares inquiries to besubmitted to the members to be inquired, on the basis of jobspecifications of the members to be inquired.

Since inquiries are prepared according to a job specification of anmember to be inquired, inquiries can be submitted efficiently.

Preferably, the answer archival storage means integrates the answersacquired from a single member from among the acquired answers and storesthe integrated answers into the storage means as answers of a singlemember to be inquired; or

re-submits inquiries to members if contradictory answers are included inthe answers, to thereby resolve contradiction, and stores the answersinto the storage means; or

assigns weights to answers according to job specifications of themembers to be inquired if contradictory answers are included in theanswers, to thereby estimate answers, and display the estimated answers.

Such a configuration enables integration of answers while ensuring amatch among the answers in a case where a plurality of inquirersseparately submit inquiries to members to be inquired.

Preferably, the establishment means establishes three levels of securitypolicies; namely,

an executive-level security policy which describes the organization'sconcept and policy concerning information security in conformity withglobal guidelines;

a corporate-level security policy which describes an informationsecurity system embodying the executive-level security policy; and

a product-level security policy which describes measures to implementthe executive-level security policy with reference to thecorporate-level security policy.

Since three levels of security policies are established, a hierarchicalsecurity policy can be obtained. Here, the measures for implementing theexecutive-level security policy with reference to the corporate-levelsecurity policy include operation rules for utilizing the securitypolicies, as well as hardware and software.

Preferably, the corporate-level security policy describes standards forthe information security system of the overall organization; andstandards for individual equipments constituting the informationsecurity system of the organization.

Such a configuration clarifies a security policy for the entireorganization and a security policy for individual pieces of equipment.Here, equipment is a concept including networks, hosts, andapplications.

Preferably, the product-level security policy includes two types ofproduct-level policies; namely,

a first-level security policy describing settings of individualequipments constituting the information security system in naturallanguage; and

a second-level security policy describing settings of individualequipments constituting the information security system in specificlanguage used in specific equipments.

The first-level product-level security policy enables a human tounderstand a security policy. The second-level product-level securitypolicy facilitates setting of individual equipment. Here, equipmentincludes both hardware and software constituting the informationsecurity system.

The present invention also provides a method of assessing the state ofsecurity of an organization, the method comprising:

an inquiry preparation step of preparing inquiries to be submitted tomembers of an organization;

an inquiry step of submitting the prepared inquiries to the members;

an answer acquisition step of acquiring from the members answers to theinquiries; and

a security state assessment step of assessing the state of security onthe basis of the answers.

By means of such a configuration, the security state of an organizationcan be ascertained on the basis of answers to inquiries.

Preferably, the inquiry preparation step involves preparation ofinquiries on the basis of job specifications of members to be inquired.

Since inquiries are prepared according to a job specification of anmember to be inquired, inquiries can be submitted efficiently.

Preferably, the answer acquisition step involves integration of previousanswers and acquired answers in a case where the answers are provided bya member to be inquired who has provided answers before, and involvesstorage of the integrated answers into storage means as answers from asingle member to be inquired.

Such a configuration enables integration of answers while ensuring amatch among the answers in a case where a plurality of inquirers submitseparately inquiries to members to be inquired.

Preferably, the assessment of a security state includes

assessment of security of the organization;

average assessment of security of the other organizations included in anindustry to which the organization pertains; and

the highest security assessment which is considered to be attainable byorganizations in the industry to which the organization pertains.

Such a configuration enables assessment of an organization in comparisonwith similar organizations. Further, display of a theoretical highestvalue assists manager to set a goal to be attained.

Preferably, the assessment of a security state includes scores assignedto the following items; namely,

understanding and attitude concerning security;

a security system of the organization;

a response to unexpected accidents;

preparation of a budget for security; and

measures to improve security.

Such a configuration enables an organization to ascertain assessment ofinformation security on a per-item basis in respect of manager'sconcept.

The present invention also provides an apparatus for assessing the stateof security of an organization, the apparatus comprising:

preparation means for preparing inquiries to be submitted to members ofan organization;

storage means for storing answers to the inquiries;

answer archival storage means for acquiring the answers to the inquiriesfrom the members and storing the answers into the storage means; and

security maturity preparation means for preparing a security maturityreport representing the degree of maturity of security, on the basis ofthe answers stored in the storage means.

Inquiries are submitted to members, and an organization can as certainits security on the basis of answers to the inquiries.

Preferably, the answer archival storage means integrates previousanswers and acquired answers in a case where the answers are provided byan member to be inquired who has provided answers before, and stores theintegrated answers into the storage means as answers from a singlemember to be inquired.

Such a configuration enables integration of answers while ensuring amatch among the answers in a case where a plurality of inquirers submitseparately inquiries to members to be inquired.

Preferably, the security maturity report includes

the degree of maturity of the organizations security;

the average degree of maturity of security of other organizationsincluded in an industry to which the organization pertains; and

the highest degree of maturity of security which is considered to beattainable by organizations in the industry to which the organizationpertains.

Such a configuration enables assessment of an organization in comparisonwith other organizations in respect of average degree. Further, displayof a theoretical highest value facilitates setting of a goal to beattained.

Preferably, the security maturity report includes scores assigned to thefollowing items; namely,

understanding and attitude concerning security;

a security system of the organization;

response to unexpected accidents;

preparation of a budget for security; and

measures to improve security.

Such a configuration enables an organization to ascertain assessment ofinformation security on a per-item basis in respect of manager'sconcept.

The present invention also provides an analyzer for analyzing adifference between a security policy and an information system of anorganization, comprising

contradiction inspection means for inspecting whether or notcontradiction exists between individual answers in response to inquiriessubmitted to members of the organization; and

contradiction output means for outputting information about theinspected contradiction.

Such a configuration enables ascertainment of contradiction included inanswers.

Preferably, the analyzer for analyzing a difference between a securitypolicy and an information system of an organization further comprises

indicating means for indicating the contradiction on the basis of theinformation about contradiction;

establishment means for virtually establishing an information system forthe organization on the basis of the answers produced by the matchingmeans; and

difference output means for outputting a difference between theconfiguration of the virtually-established information system and asecurity policy, by means of comparison.

Such a configuration enables ascertainment of a difference between asecurity policy and realities of an organization.

Preferably, the analyzer for analyzing a difference between a securitypolicy and an information system of an organization further comprises

real system input means for examining the information system of theorganization and entering the configuration of the information system;and

difference output means which verifies the virtually-establishedinformation system by reference to the configuration of the informationsystem and outputs a difference between a security policy and theconfiguration of the virtually-established information system which hasbeen verified, by means of comparison.

Such a configuration enables comparison between an information systemwhich has been verified by means of actual examination of an informationsystem and a security policy, thereby enabling accurate analysis of adifference.

An invention according to a second embodiment will now be described.

To solve the previously-described problem, in the inquiry preparationstep, the inquiries are prepared in accordance with the line of businessof the organization.

Preferably, the inquiry preparation means generates inquiries to besubmitted to an interviewee in accordance with the line of business ofthe organization.

According to the present invention, the line of business of anorganization is taken into account. Hence, a security policycorresponding to a line of business can be established.

An invention according to a third embodiment will now be described.

According to the present invention, in the drafting step, a securitypolicy is drafted on the basis of recommendations or regulations aimedat a specific line of business.

According to the present invention, the establishment means establishesa security policy on the basis of items of recommendations orregulations aimed at a specific line of business.

Such a configuration enables establishment of a security policy foritems which are of greater detail than general-purpose globalguidelines, in connection with a specific line of business.

An invention according to a fourth embodiment will be describedhereinbelow.

According to the present invention, in the establishment step, asecurity policy is established on the basis of items of globalguidelines of one or a plurality of types prescribed by a user.

According to the present invention, the establishment means establishesa security policy on the basis of items of global guidelines of one or aplurality of types prescribed by a user.

By means of the configuration of the invention, a user can select aglobal guidelines to be employed.

According to the present invention, in the inquiry preparation step,inquiries are generated on the basis of items of global guidelines ofone or a plurality of types prescribed by a user.

Similarly, the inquiry preparation means generates inquiries to besubmitted to interviewees, on the basis of items of global guidelines ofone or a plurality of types prescribed by a user.

By means of such a configuration, inquiries complying with a globalguideline prescribed by the user are submitted, thereby enablingefficient inquiries.

An invention according to a fifth embodiment will now be described.

According to the present invention, in the establishment step, asecurity policy is established on the basis of an indicator ofrigorousness of security policy prescribed by the user.

According to the present invention, the establishment means establishesa security policy on the basis of an indicator of rigorousness ofsecurity policy prescribed by the user.

By means of the configuration according to the present invention, theuser can freely specify the level of rigorousness of security policythrough use of security policy.

According to the present invention, in the inquiry preparation step, theinquiries are generated on the basis of an indicator of rigorousness ofsecurity policy prescribed by the user.

Similarly, according to the present invention, the inquiry preparationmeans generates inquiries, on the basis of an indicator of rigorousnessof security policy prescribed by the user.

By means of such a configuration, inquiries are generated in accordancewith the level of rigorousness prescribed by the user. As will bedescribed later, if a higher level of rigorousness is prescribed, thenumber of general inquiries is increased, so that inquiries concerningdetailed items are generated. In contrast, if a lower level ofrigorousness is prescribed, the number of general inquiries is reduced,and inquiries become less elaborate. Since inquiries according to thelevel of rigorousness are generated, inquiries can be made moreefficiently.

The present invention provides a security policy rigorousness adjustmentmethod for adjusting the level of rigorousness of a security policy,comprising:

a rigorousness adjustment step of replacing the rules which have beendetermined not to match the indicator of rigorousness prescribed by auser with rules matching the indicator of rigorousness; and

a merge and output step of merging the rules matching the indicator ofrigorousness from the beginning with the rules which in the rigorousnessadjustment step have replaced the rules not matching the indicator andof outputting the merged rules.

Further, the present invention provides a security policy rigorousnessadjustment apparatus for adjusting the level of rigorousness of asecurity policy, comprising:

rigorousness adjustment means for replacing the rules which have beendetermined not to match the indicator of rigorousness prescribed by auser with rules matching the indicator of rigorousness; and

Merge and output means for merging the rules matching the indicator ofrigorousness from the beginning with the rules which in the rigorousnessadjustment step have replaced the rules not matching the indicator andfor outputting the merged rules.

By means of these configurations according to the present invention, thelevel of rigorousness of security policy can be adjusted such that alevel of rigorousness prescribed by the user is achieved.

An invention according to a sixth embodiment will now be described.

The present invention provides a method of establishing a securitypolicy of a predetermined organization, comprising:

an inquiry preparation step of generating inquiries which pertain toitems required for establishing a security policy of the organizationand are to be submitted to members of the organization;

an inquiry submission step of submitting the generated inquiries to themembers;

an answer acquisition step of acquiring from the members answers to theinquiries; and

a preparation step of preparing a security policy draft on the basis ofthe answers, wherein, in the establishment step, a security policywithin a range of establishment prescribed by the user is established.

By means of the configuration set forth, a security policy fallingwithin the range prescribed by the user is obtained.

According to the present invention, in the inquiry preparation step,inquiries pertaining to the range of establishment prescribed by theuser are generated.

By means of such a configuration according to the present invention,only inquiries about the range prescribed by the user are generated.Hence, submission of inquiries irrelevant to the range is prevented.

The present invention provides a security policy establishment apparatusfor establishing a security policy of a predetermined organization,comprising:

inquiry preparation means for generating inquiries which pertain toitems required for establishing a security policy of the organizationand are to be submitted to members of the organization;

storage means for storing answers to the generated inquiries;

answer archival storage means for acquiring answers to the generatedinquiries and storing the answers into the storage means; and

establishment means for establishing a security policy within the rangeof establishment prescribed by the user.

By means of such a configuration, there is obtained a security policyfalling within the range prescribed by the user.

According to the present invention, the inquiry preparation meansgenerates inquiries pertaining to the range of establishment prescribedby the user.

Such a configuration enables generation of only inquiries pertaining toa range prescribed by the user. Hence, submission of inquiriesirrelevant to the range is prevented.

An invention according to an seventh embodiment will be described.

The seventh embodiment describes programs for causing a computer toperform the operations which have been described thus far and arecording medium (hard disk drive) having the programs recorded thereon.Hence, operations of the programs and operation of the recording mediumhaving the programs recorded thereon are identical with those of theinventions which have been described thus far.

The present invention provides a computer-readable recording mediumhaving recorded thereon a program for causing a computer to perform:

inquiry preparation procedures for generating inquiries which pertain toitems required for establishing a security policy of the organizationand are to be submitted to members of the organization;

answer archival procedures for entering answers to the generatedinquiries and storing the answers into storage means; and

establishment procedures for establishing a security policy on the basisof the answers stored in the storage means.

According to the present invention, in the inquiry preparationprocedures, inquiries to be submitted to interviewees are generated onthe basis of job specifications of the interviewees.

According to the present invention, in the answer archival procedures,the answers acquired from a single member from among the acquiredanswers are integrated, and the integrated answers are stored into thestorage means as answers of a single member to be inquired; or weightsare assigned to answers according to job specifications of the membersto be inquired if contradictory answers are included in the answers, tothereby estimate final answers and display the estimated final answers.

According to the present invention, in the inquiry preparationprocedures, inquiries to be submitted to the interviewees are generatedon the basis of the line of business of the organization.

According to the present invention, in the establishment procedures, asecurity policy is established on the basis of items of global guidelines of one or a plurality of types prescribed by a user.

According to the present invention, in the inquiry preparationprocedures, the inquiries are generated on the basis of an indicator ofrigorousness of security policy prescribed by the user.

According to the present invention, in the establishment procedures, asecurity policy within a range of establishment prescribed by the useris established.

The present invention provides a computer-readable recording mediumhaving recorded thereon a program for causing a computer to perform:

inquiry preparation procedures for generating inquiries which pertain toitems required for evaluating the degree of maturity of security of apredetermined organization and are to be submitted to members of theorganization;

answer archival procedures for entering answers to the preparedinquiries and storing the answers into storage means; and

security maturity preparation procedures for preparing a securitymaturity report representing the degree of maturity of security, on thebasis of the answers stored in the storage means.

The present invention provides a computer-readable recording mediumhaving recorded thereon a program for causing a computer to perform:

contradiction inspection procedures for inspecting whether or notcontradiction exists between individual answers submitted in response toinquiries which pertain to items required for ascertaining a differencebetween a security policy of the predetermined organization and aninformation system of the organization and which have been submitted tomembers of a predetermined organization; and

contradiction output procedures for outputting information about theinspected contradiction.

Preferably, the recording medium further comprises:

matching procedures for matching the answers on the basis of theinformation about contradiction, thus producing answers free ofcontradiction;

establishment procedures for virtually establishing the configuration ofan information system of the organization, on the basis of the answersproduced by the matching means; and

difference output procedures for outputting a difference between theconfiguration of the virtually-established information system and thesecurity policy, obtained by means of comparison.

The present invention provides a computer-readable recording mediumhaving recorded thereon a program for causing a computer to perform:

level-of-rigorousness inspection procedures for inspecting whether ornot individual rules of the security policy match an indicator ofrigorousness prescribed by a user;

rigorousness adjustment procedures for replacing the rules which havebeen determined not to match the indicator in the level-of-rigorousnessinspection step with rules matching the indicator of rigorousness; and

merge and output procedures for merging the rules matching the indicatorof rigorousness from the beginning with the rules which in therigorousness adjustment step have replaced the rules not matching theindicator and for outputting the merged rules.

The inventions set forth relate to a recording medium. Next, aninvention related to a program will be described.

The present invention provides a program for causing a computer toperform:

inquiry preparation procedures for generating inquiries which pertain toitems required for establishing a security policy of a predeterminedorganization and are to be submitted to members of the organization;

answer archival procedures for entering answers to the preparedinquiries and storing the answers into storage means; and

establishment procedures for establishing a security policy on the basisof the answers stored in the storage means.

According to the present invention, in the inquiry preparationprocedures, inquiries to be submitted to interviewees are generated onthe basis of job specifications of the interviewees.

According to the present invention, in the answer archival procedures,the answers acquired from a single member from among the acquiredanswers are integrated, and the integrated answers are stored into thestorage means as answers of a single member to be inquired; or

weights are assigned to answers according to job specifications of themembers to be inquired if contradictory answers are included in theanswers, to thereby estimate final answers and display the estimatedfinal answers.

According to the present invention, in the inquiry preparationprocedures, inquiries to be submitted to the interviewees are generatedon the basis of the line of business of the organization.

According to the present invention, in the establishment procedures, asecurity policy is established on the basis of items of globalguidelines of one or a plurality of types prescribed by a user.

According to the present invention, in the inquiry preparationprocedures, the inquiries are generated on the basis of an indicator ofrigorousness of security policy prescribed by the user.

According to the present invention, in the establishment procedures, asecurity policy within a range of establishment prescribed by the useris established.

The present invention provides a program for causing a computer toperform:

inquiry preparation procedures for generating inquiries which pertain toitems required for evaluating the degree of maturity of security of apredetermined organization and are to be submitted to members of theorganization;

answer archival procedures for entering answers to the generatedinquiries and storing the answers into storage means; and

security maturity preparation procedures for preparing a securitymaturity report representing the degree of maturity of security, on thebasis of the answers stored in the storage means.

The present invention provides a program for causing a computer toperform:

contradiction inspection procedures for inspecting whether or notcontradiction exists between individual answers in response to inquirieswhich pertain to items required for ascertaining a difference between asecurity policy of the predetermined organization and an informationsystem of the organization and which have been submitted to members of apredetermined organization; and

contradiction output procedures for outputting information about theinspected contradiction.

According to the present invention, the program further comprises:

matching procedures for matching the answers on the basis of theinformation about contradiction, thus producing answers free ofcontradiction;

establishment procedures for virtually establishing the configuration ofan information system of the organization, on the basis of the answersproduced by the matching means; and

difference output procedures for outputting a difference between theconfiguration of the virtually-established information system and thesecurity policy, obtained by means of comparison.

The present invention provides a program for causing a computer toperform:

level-of-rigorousness inspection procedures for inspecting whether ornot individual rules of the security policy match an indicator ofrigorousness prescribed by a user;

rigorousness adjustment procedures for replacing the rules which havebeen determined not to match the indicator in the level-of-rigorousnessinspection step with rules matching the indicator of rigorousness; and

merge and output procedures for merging the rules matching the indicatorof rigorousness from the beginning with the rules which in therigorousness adjustment step have replaced the rules not matching theindicator and for outputting the merged rules.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a flowchart representing the principle of a business modelaccording to a preferred embodiment of the present invention;

FIG. 2 is a block diagram showing the configuration of an appraisaldevice;

FIG. 3 is a flowchart representing preparation of an appraisal report;

FIG. 4 is a block diagram showing the configuration of an apparatus forpreparing a security policy draft;

FIG. 5 is a flowchart showing establishment of a security policy draftthrough use of a security policy draft establishment apparatus;

FIG. 6 is a listing of types representing job specifications;

FIG. 7 is a block diagram showing the configuration of an analyzer;

FIG. 8 is a block diagram showing the configuration of a security policydraft preparation apparatus according to a second embodiment of thepresent invention;

FIG. 9 is a block diagram showing the configuration of a security policydraft preparation apparatus according to a third embodiment of thepresent invention;

FIG. 10 is a block diagram showing the configuration of a securitypolicy draft preparation apparatus according to a fourth embodiment ofthe present invention;

FIG. 11 is a block diagram showing the configuration of a securitypolicy draft preparation apparatus according to a fifth embodiment ofthe present invention;

FIG. 12 is a block diagram showing the configuration of a securitypolicy rigorousness adjustment apparatus according to the fifthembodiment of the present invention;

FIG. 13 is a flowchart showing operation of the security policyrigorousness adjustment apparatus according to the fifth embodiment;

FIG. 14 is a block diagram showing the configuration of a securitypolicy draft preparation apparatus according to a sixth embodiment ofthe present invention; and

FIG. 15 is a descriptive view showing a computer and a hard disk driveprovided therein according to an seventh embodiment.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENT

A preferred embodiment of the present invention will now be describedhereinbelow by reference to the accompanying drawings.

First Embodiment

There will be described a business model concerning a round ofoperations from establishment of a security policy of a certainorganization to maintenance of the security policy. Preferably, thebusiness model is implemented by a system engineer through use of apredetermined expert system.

The principle of the business model according to a first embodiment ofthe present invention will first be described. FIG. 1 shows a flowchartrepresenting the principle of such a business model. As illustrated bythe drawing, the business model according to the present invention isbasically made up of the following six steps.

Step 1: Assessment of security maturity

Step 2: Preparation of a security policy draft

Step 3: System, and inspection and analysis of the system

Step 4: Coordination between a policy and rules

Step 5: Priority Planning

Step 6: Implementation of measures to enhance security.

According to the security establishment method consisting of six steps,an interview-based security policy draft is first established. Ifnecessary, the security policy draft is re-adjusted so as to reflect thereality of an organization. Since the security policy is completedstepwise, the security policy can be established in accordance with theschedule or budget of an organization.

Step 1 is for evaluating the current state of information security of anorganization. Through assessment of information security, theorganization can ascertain the goal to be attained in respect ofmanager's concept.

Step 2 is for preparing an elementary security policy draft by means ofsubmitting inquiries to members of the organization. The security policydraft is prepared by means of simple interview, and hence a securitypolicy can be prepared at relatively low cost.

Step 3 is for reviewing a difference between the virtually constructedinformation system and the reality of the organization. Since thevirtually constructed information system is prepared on the basis ofmere answers to the inquiries, a difference may arise between thevirtually constructed information system and the reality of theorganization.

Step 4 is for adjusting, in accordance with a difference, a securitypolicy or rules about security products which have already beenintroduced.

Step 5 is for establishing a future information security plan, takinginto consideration precedence in adopting means or measures.

Step 6 is for performing required security protection measures accordingto the information security plan.

Since the security policy is established stepwise as mentioned above, asecurity policy can be established in accordance with realities of eachorganization; that is, the budget or concept of each organization.

For instance, it depends on the company's way of thinking or budget thata security policy draft is sufficient or not. Priority planning makes afuture plan specific, and hence there will be yielded an advantage ofeasy development of a budget for the organization.

The dominant steps of the business model according to the presentembodiment reside particularly in steps 2 through 4. In step 2, anelementary security policy draft is prepared. In step 3, a differencebetween the security policy draft and the realities of an organizationis analyzed. In step 4, a security policy or rules for security productswhich have already been introduced are adjusted. So long as a businessmodel includes at least steps 2 through 4, the business model enablessystematic establishment of a security policy. Such a business modelenables an increase in productivity and quality relative to aconventional method based on experience and intuition.

In order to implement such stepwise establishment of a security policy,various expert systems are used in the first embodiment.

Steps 1 through 6 will now be described individually, including a methodof using expert systems.

A. Step 1: Assessment of Security Maturity

In this step, maturity of current information security of anorganization is objectively assessed. Through such an appraisal, theorganization can be rated in terms of security. More specifically,assessment of information security is performed by means of preparingthe security maturity appraisal report.

In the first embodiment, security maturity is assessed on the basis of aSoftware Capability Maturity Model developed by Carnegie MellonUniversity in the U.S. According to this model, security maturity isquantitatively assessed with regard to five headings. In other words,scores are assigned for each of the five headings.

The five headings are as follows:

a: Comprehension and posture of an administrator regarding informationsecurity

b: Security status of an organization

c: Response to an unexpected disaster

d: Budgeting for security

e: Measures to improve security

Here, an unexpected disaster mean an event which threatens informationsecurity; for example, a wiretapping activity or faulty operation ofequipment. Entry “c”; i.e., response to unexpected disaster, representswhether or not the organization can address unexpected disaster. Entry“d”; i.e., budgeting for security, represents whether or not asufficient budget is ensured for information security. Entry “e”; i.e.,measures to improve security, represents the extent to which a scheduleor plan for security improvement is made.

In the first embodiment, a maturity assessment report is prepared withregard to the above-described five headings, and includes scores. Bymeans of such a report, the objective estimation of manager'sunderstanding for information system security of an organization can beascertained.

A specific method of preparing the security maturity assessment reportwill now be described.

In the first embodiment, inquiries are submitted to the organization'smanager(CEO, president, etc . . . ) and an maturity assessment report isprepared on the basis of answers to the inquiries. More specifically, anappraisal device 10 shown in FIG. 2 performs preparation of inquiries,collection of answers, and preparation of the security maturityassessment report. FIG. 3 shows a flowchart representing operations forpreparing the security maturity assessment report. The flowchart shownin FIG. 3 shows, in more detail, processing pertaining to step S1-1shown in FIG. 1.

As shown in FIG. 2, the appraisal device 10 has inquiry preparationmeans 12 for preparing inquiries to be submitted to managers to beinquired.

A variety of inquiries are stored beforehand in the storage means 14,and the inquiry preparation means 12 extracts inquiries required for amember to be inquired.

The appraisal device 10 has answer archival storage means 16. Answerssubmitted by managers in response to inquiries which have been preparedin the manner as mentioned above are supplied to the answer archivalstorage means 16. The answer archival storage means 16 preserves answersin the storage means 14.

The first embodiment is also characterized in that the answer archivalstorage means 16 has an answer integration function. In a case whereinquiries are submitted by a plurality of systems engineers, answers tothe inquiries are collectively stored in the storage means 14 accordingto the answer integration function. In a case where a large number ofmanagers are to be inquired, answers can be immediately acquired bymeans of a plurality of systems engineers sharing the load of submittinginquiries to the managers through interview. In such a case, theresultant answers are accumulated in a plurality of computers.Therefore, these answers must be integrated into a single database.

As a matter of course, the answer integration function can be utilizedfor integrating answers submitted by a single manager to be inquired asa result of inquiries having been submitted to the manager and answershaving been acquired from the manager on several occasions, for reasonsthat submitting inquiries to the manager and receiving answers to theinquires from the member could not be performed on a single occasion.

The appraisal device 10 has security maturity preparation means 18,which prepares the security maturity report, or an assessment reportabout information security of an organization, on the basis of the groupof answers stored in the storage means 14.

This appraisal device 10 is a so-called expert system.

There is employed the appraisal device 10 having the function ofintegrating collected answers. Consequently, the security maturityassessment report can be prepared efficiently and precisely.

By reference to the flowchart shown in FIG. 3, there will be describedan operation for preparing the security maturity assessment report.

In step S3-1, inquiries to be submitted to the member are prepared bythe inquiry preparation means 12.

In step S3-2, a systems engineer submits the thus-prepared inquiries tothe manager.

In step S3-3, answers to the inquiries are acquired from the manager anddelivered to the answer archival storage means 16 of the appraisaldevice 10. As set forth, the answer archival storage means 16 has theanswer integration function and sends the answers to the storage means14 after having integrated them into a single database.

In step S3-4, the security maturity report preparation means 18 preparesthe security maturity assessment report including scores assigned tofive respective headings, on the basis of the group of answers stored inthe storage means 14.

As mentioned above, the security maturity assessment report is preparedthrough use of the appraisal device 10.

Comparison between Industry Standard and Scores Described in SecurityMaturity Assessment Report

As mentioned previously, scores (points) are assigned to five respectiveheadings described in the security maturity assessment report.

The first embodiment is characterized particularly in that an average ofscores assigned to all the organizations and the highest score in anindustry to which the organization pertains are displayed along with ascore assigned to the security maturity assessment report. Here, theexpression “highest score” is the top score (a theoretical value) whichcan be attained by any organization belonging to the industry.

As a result, the ranking of efforts made by the organization forensuring information security in the industry can be readilyascertained. Such a mean value and the maximum value in an individualindustry are stored in the storage means 14 beforehand. Further, anaverage value is updated periodically.

Report on the Progress of Implementation of Security Measures

In the first embodiment, the security maturity assessment report isprepared to the manager's understanding for information security of anorganization is investigated prior to establishment of a securitypolicy. However, so long as the security maturity report is preparedduring the course of sequential implementation of measures forinformation security, the progress of implementing measures forinformation security can be ascertained. Accordingly, a step ofpreparing the security maturity report also serves as a step ofreporting the progress of implementation of security.

In the appraisal device 10 according to the first embodiment, all theinquiries and corresponding answers are stored in the storage means 14.However, it may be the case that inquiries are stored in one storagemeans and answers are stored in another storage means.

B. Step 2: Preparation of Security Policy Draft

In this step, a simple security policy draft of an organization isprepared. The draft corresponds to a security policy based on answersare submitted by members of the organization in response to inquiries.Since an actual information system of the organization has not yet beeninvestigated, a security policy cannot be established immediately.

Various basic headings and contents used for establishing a standardsecurity policy have already been known as international guidelines.These guidelines are hereinafter called global guidelines. In thepresent embodiment, a security policy draft is prepared by means ofextracting principles from the global guidelines and combining thethus-extracted principles, as required.

In the first embodiment, a security policy draft preparation apparatus20 is used for preparing a security policy draft. FIG. 4 is a blockdiagram showing the configuration of the security policy draftpreparation apparatus 20.

As shown in FIG. 4, the security policy draft preparation apparatus 20has inquiry preparation means 22 for preparing inquiries to be submittedto an member to be inquired, in accordance with job specifications ofthe member to be inquired. Inquiries are changed in accordance with jobspecifications of a member to be inquired for acquiring useful answers,as determined by the inquiry preparation means 12 of the appraisaldevice 10.

A variety of inquiries are stored beforehand in storage means 24provided in the security policy draft preparation apparatus 20, as inthe case of the storage means 14 shown in FIG. 2. The inquirypreparation means 22 extracts appropriate inquiries from the storagemeans 24 in accordance with job specifications of a member.

The security policy draft preparation apparatus 20 is further equippedwith answer archival storage means 26. The answer archival storage means26 stores answers into the storage means 24, as does the answer archivalstorage means 16. Further, the answer archival storage means 26 has ananswer integration function.

Integration Function

An integration function includes the following features:

(1) A plurality of systems engineers separately conduct interviews withindividual members and collect the resultant answers. For instance, if aplurality of systems engineers conduct an interview with a singlemember, the resultant answers are integrated into a single database.More specifically, a series of inquiries of the same type are submittedto a plurality of members, and the resultant answers are integrated intoa single database.

(2) There may be a case where a single inquiry is submitted to differentmembers through interviews. In such a case, a contradiction may arise inanswers. There are two measures to eliminate the contradiction. A firstmeasure is a re-interview. In the event that respondents have submittedincorrect answers with regard to the contradiction, it is thought thatsuch a contradiction can be resolved by means of conducting are-interview or inspection (or both). A second measure is to determineanswers by means of assigning weights to answers in accordance with thetypes (job specifications) of the members.

In the present embodiment, the user can freely select either the firstmeasure or the second measure.

The security policy draft preparation apparatus 20 has draft preparationmeans 28 for preparing a security policy draft. The draft preparationmeans 28 prepares a security policy on the basis of the group of answersstored in the storage means 24.

The security policy draft preparation apparatus 20 is a so-called expertsystem, as is the appraisal device 10. In fact, the previously-describedindividual means are preferably embodied as software which is executedon a computer.

By reference to a flowchart shown in FIG. 5, there will be described anoperation for preparing a security policy draft. FIG. 5 shows aflowchart representing an operation for preparing a security policydraft through use of the security policy draft preparation apparatus 20.

In step S5-1, job specifications of members who are to be inquired aresupplied to the inquiry preparation means 22, and inquiries aresubmitted to the members.

As set forth, in the first embodiment, inquiries to be prepared aredetermined in accordance with job specifications of the members.Consequently, appropriate inquiries to be submitted to members to beinquired can be prepared.

A so-called course of inquiries is determined in accordance with jobspecifications of a member. Actual inquiries to be submitted in eachcourse are changed in response to an answer submitted by a member. Forexample, if in response to an inquiry about use of VPN a member hasanswered that VPN is not used, detailed inquiries about VPN are skipped.In contrast, if the member has answered that VPN is used, detailedinquiries about VPN are submitted to the member.

Such a control operation is implemented by utilization of, a so-calledknowledge-based expert system.

In step S5-2, the thus-prepared inquiries are submitted to members.

In step S5-3, answers to the inquiries are submitted by the members, andthe answers are entered to the answer archival storage means 26 of thesecurity policy draft preparation apparatus 20. Preferably, the answersare entered by the interviewers. As a matter of course, there may beemployed a form in which individual members answer inquiries by way of ascreen of the policy draft preparation apparatus 20. The answer archivalstorage means 26 has an answer integration function, as mentioned above,and integrates answers acquired by a plurality of interviewers into asingle database and stores the single database into the storage means24.

In step S5-4, on the basis of the group of answers stored in the storagemeans 24, the draft preparation means 28 prepares a security policydraft by combination of various principles extracted from the globalguidelines.

As set forth, a security policy draft is prepared through use of thesecurity policy draft preparation apparatus 20.

In the first embodiment, there are prepared three levels of (drafts of)security policy: that is, an executive-level security policy (draft), acorporate-level security policy (draft), and a product-level securitypolicy (draft). These three levels of security policy drafts will bedescribed later in section B-5.

B-1: Inquiries (for an interview)

Inquiries (often called an “interview”) will be described hereinbelow.

Headings of an interview are as follows:

1. Organization

2. Network

3. Server and host

4. Application and database

5. Security items of great importance

6. Other security Items

Individual headings will now be described.

(1) Organization

In connection with heading “organization” an interview is conducted forthe outline and system of an “organization”. From answers to theinquiries, there can be derived an information security administrationsystem, policy principles, and analysis of vulnerability (analysis ofdifferences).

Heading “organization” is followed by the following sub-headings.

1.1 Management system

1.2 Employees

1.3 Outline of enterprise

1.4 Venders

1.5 Clients

1.6 Consultants

1.7 Outsourcing

1.8 Application

1.9 Network

1.10 Security profile

1.11 Business category

1.12 Organization policy

Inquiry headings may change according to job specifications. Forinstance, inquiry heading “host” is not provided for a chief executiveofficer. Thus, the present embodiment is characterized in that inquirieschange according to job specifications. Thus, inquiries tailored to jobspecifications can be submitted to a member, thus enabling efficientconduct of an interview.

(2) Network

In connection with heading “network,” inquiries about the outline,operation, and settings of a network are submitted through an interview.From answers to these inquiries, there can be derived the vulnerabilityof the network, a corporate-level policy pertaining to the network, orthe like.

Heading “network” is followed by the following sub-headings.

2.1 Operation environment

2.2 Network properties

2.3 Authentication and identification

2.4 Audit and logs

2.5 Access control

2.6 Modification procedures

2.7 Disaster recovery

2.8 Operation reliability

2.9 Physical security

2.10 Modem

2.11 Workstation security

(3) Server and Host

In connection with heading “server and host,” inquiries about theoutline, operation, and settings of a host are submitted through aninterview. From answers to the inquiries, there are derived the weaknessof a host and a corporate-level policy pertaining to a host and aserver.

Heading “server and host” is followed by the following sub-headings.

3.1 Properties of server and host

3.2 Authentication and identification

3.3 Audit and logs

3.4 Access control

3.5 Modification procedures

3.6 Disaster recovery and back-up

3.7 Operation reliability

3.8 Physical security

(4) Application and database

In connection with heading “application and database,” inquiries aboutthe outline, operation, and settings of an application are submittedthrough an interview. From answers to the inquiries, there are derivedthe vulnerability of an application and a corporate-level policypertaining to an application.

Heading “application and database” is followed by the followingsub-headings.

4.1 Properties of application and database

4.2 Authentication and identification

4.3 Audit and logs

4.4 Access control

4.5 Modification procedures

4.6 Disaster recovery and back-up

4.7 Operation reliability

4.8 Physical security

(5) Security items of great importance

In connection with heading “security items of great importance”inquiries about information usually required for establishing a firewallare submitted through an interview. From answers to the inquiries, thereare derived a corporate-level policy and a product-level policy.

Heading “security items of great importance” is followed by thefollowing sub-headings.

5.1 Management of firewall

5.2 Packet filtering

5.3 NAT (network address transfer)

5.4 SMTP content filtering

5.5 FTP content filtering

5.6 HTTP content filtering

5.7 Logs and alert

(6) Other Security Items

In connection with heading “other security items” inquiries aboutinformation usually required for establishing VPN are submitted throughan interview. From answers to the inquiries, there are derived acorporate-level policy and a product-level policy.

Heading “other security items” is followed by the followingsub-headings.

6.1 VPN properties

6.2 VPN management

6.3 Key delivery

6.4 Logs and audit

B-2 Interview Style

Contents of an interview are as set forth, and the interview isconducted in any of various forms, such as a description form or amultiple-choice.

B-3 Interviewee

The security policy draft preparation apparatus 20 according to thefirst embodiment changes inquiries according to a member who is aninterviewee. In short, inquiries are controlled according to jobspecifications of an interviewee.

Consequently, appropriate inquiries to be submitted to an intervieweecan be prepared.

In more detail, a so-called course of inquiries is determined inaccordance with job specifications of a member. Inquiries to besubmitted in each course are changed in response to an answer submittedby a member. For example, if in response to an inquiry about use of VPNa member has answered that VPN is not used, detailed inquiries about VPNare skipped. In contrast, if the member has answered that VPN is used,detailed inquiries about VPN are submitted to the member.

Such a control operation is implemented by utilization of a so-calledknowledge-based expert system.

Prior to conduct of an actual interview, job specifications of aninterviewee must be entered into the security policy preparationapparatus 20. More specifically, data pertaining to the followingentries are input.

-   -   * Name    -   * Department    -   * Title

Postal Code

Address

Country

Phone Number

E-mail Address

-   -   *Type

Of these entries, entries prefixed by asterisks are required entries.Here, the expression “type” denotes a symbol representing a jobspecification. In the present embodiment, symbols shown in FIG. 6 areused for expressing a job specification. Simply put, the “type” denotesa job specification. Inquiries to be submitted are determined on thebasis of a type. A listing of types to be handled in the presentembodiment is shown in FIG. 6.

Inquiries which are actually submitted to an interviewee changeaccording to answers. Such control of inquiries is performed on thebasis of a knowledge-based operation. For instance, an inquiry about an“expiration date of a password” is not submitted to members who haveanswered that no expiration is imposed on a password in response to aninquiry as to whether or not an expiration data is set for a password.In contrast, an inquiry about an expiration date of a password may besubmitted to members who have answered that an expiration date is setfor a password.

B-4 Information Assets to be Managed

In the first embodiment, information assets for which security must beensured are classified into five categories; namely, network, host,application, user group, and others. In a case where information assetsare entered into the security policy draft preparation apparatus 20according to the present embodiment, data pertaining to the followingfour entries are to be input. Here, in a case where information assetsbelong to either category “host” or category “network,” data pertainingto two additional entries; i.e., “IP address” and “sub-net mask,” are tobe entered.

Asset ID

*Asset type

*Name of asset

Details

Of these entries, entry “asset type” covers five types.

A application

H Host

N Network

U User group

W Others, including URL, domain names, and file names

The expression “user group” designates a logical set of users possessinga common characteristic. For example, users who handle, amend, analyze,and report accounting information are collectively called a “accountinggroup.” Each user group is formed from one user or two or more users.The word “user” designates a human who uses information assets.

B-5 Preparation of Security Policy Draft

A security policy is established by means of entering into the securitypolicy draft preparation apparatus 20 answers to the foregoinginquiries. This device is a so-called expert system. By means of entryof answers to inquiries into a system, the system produces and outputs asecurity policy. Such a device which produces data of some kind inresponse to entry of answers to inquiries has already been known as anexpert system, and hence its detailed explanation is omitted.

In the first embodiment, three levels of security policies are produced;i.e., an executive-level security policy, a corporate-level securitypolicy, and a product-level security policy. Similarly, there areprepared three levels of security policy drafts corresponding to therespective security policies.

(1) Executive-level Security Policy

An executive-level security policy consists of descriptions of theorganization's “concept” and “policy” concerning security.

An executive-level policy includes the following items.

Access Control

An owner of information assets must manage and control the right toaccess information assets. In order to implement control of the accessright, an access control mechanism of a control system used forpreserving or processing information assets must be used. Item “accesscontrol” describes the organization's concept and policy concerningcontrol of the access right.

Accuracy of Information

It is extremely important to maintain the contents of information assetsaccurately as it is. Because information assets is indispensable formaking business decisions. Item “accuracy of information” describes theorganization's concept and policy concerning the guarantee of accuracyof information assets content.

Guarantee

An organization must employ appropriate measures to ensure suitablesafety of information resources or security. Item “guarantee” describesthe organization's concept and policy concerning measures to ensuresafety.

Accountability

All systems must enable recording and analysis of user activities, andan individual user must have responsibility for his own acts. Item“accountability” describes the organization's concept and policyconcerning personal responsibility of an individual user.

Identification and Verification

All users must be appropriately identified in accordance with thesecurity level of information assets. Items “identification andverification” used herein describe the organization's concept and policyconcerning such identification.

Emergency Response Plan

An organization must prepare a detailed plan and procedures for ensuringappropriate response to obstacle in a system and a network. Item“emergency response plan” describes the organization's concept andpolicy concerning a plan and procedures for response to an emergency.

Awareness of Security

Top executives and other employees must become conscious of requirementsfor the organization's information security, as well as of theirpersonal responsibility. Item “awareness of security” describes theorganization's concept and policy concerning personal responsibility.

Categorization of Information

Information security is for protecting information assets. For thisreason, information assets which are objects of protection must becategorized and appropriately protected according to categories. Item“categorization of information” describes the organization's concept andpolicy concerning information assets.

Vocational Ethics

A user must obey the determined rule for action and handle informationassets ethically. In the event a user handles information assets withoutethic, breaks a law and rule, or handles information assets for hisprivate benefit, the user will be subjected to sanction. In short, theuser must be conscious that he may be subjected to sanction. Item“vocational ethics” describes the organization's concept and policyconcerning the rule for action a user must obey.

Document Management

All security systems must be appropriately recorded in documents andreferred according to necessity. Item “document management” describesthe organization's concept and policy concerning documentation.

Investigation

In the event of obstacle or violation, the organization must investigatethe obstacle and violation and records their details in documentsaccording to security policy. Item “investigation” describes theorganization's concept and policy concerning investigation anddocumentation of obstacle and violation.

Privacy

Information assets is to be used on the precondition that the privacy ofconcerned members is guaranteed. Item “privacy” describes theorganization's concept and policy concerning privacy.

Risk Management

An owner of information assets must evaluate potential risks and takeappropriate measures to control and protect information. Item “riskmanagement” describes the organization's concept and policy concerningevaluation of risks and measures to control and protect information.

Verification

An organization must periodically verify implementation of security.Item “verification” describes the organization's concept and policyconcerning verification of security.

Asset Assessment

An organization must analyze its information assets. Item “assetassessment” describes the organization's concept and policy concerningassessment of assets.

Security Management

An organization must manages security policy properly and revises thesecurity policy when amendment or improvement are necessary. Item“Security Management” describes the organization's concept and policyconcerning Security management.

(2) Corporate-level Policy

With regard to information assets of an organization, descriptions ofthe executive-level policy are applied to a corporate-level policy. Thecorporate-level policy corresponds to descriptions of “operatingprocedures.” The corporate-level policy is applied to each operatingunit of the organization. Operating units are formed by means ofdividing constituent elements of an information system into groupsaccording to function. For example, a network, a host, and anapplication are operating units.

The executive-level policy describes the so-called “constitution”(dominant principles)” whereas the corporate-level policy describes“laws” (rules based on the dominant principle).

The corporate-level security policy describes standards for theinformation security system of the overall organization; and standardsfor individual equipment constituting the information security system ofthe organization.

At first, the corporate-level security policy is a policy concerning alloperating units which constitute the organization. For example,regulations are described for each operating unit.

Network

Item “network” describes regulations concerning the entire network ofthe organization.

Host

Item “host” describes regulations concerning all hosts provided in theorganization.

Application

Item “application” describes regulations concerning all applicationsemployed in the organization.

Secondary, the corporate-level security policy describes individualunits into which the operating units are further sub-divided. Forexample, the corporate-level security policy comprises descriptionspertaining to the following items.

Software Management

Item “software management” describes regulations with regard to use ofsoftware in the organization and management of software licenses.

Dial-Up

Item “dial-up” describes regulations with regard to individual dial-upand remote access servers employed in the organization.

Electronic Mail

Item “electronic mail” describes regulations with regard to individualE-mails accounts and messages in the organization.

Firewall Management

Item “firewall management” describes regulations with regard tomanagement of individual firewalls used in the organization.

Cryptography

Item “cryptography” describes regulations with regard to implementationof individual cryptographic tools used in an organization.

Electronic Commerce

Item “electronic commerce” describes regulations with regard toelectronic transactions used in the organization.

Network

Item “network” describes regulations with regard to implementationindividual networks employed in the organization.

Host

Item “host” describes regulations with regard to implementation ofindividual hosts used in the organization.

Application

Item “application” describes regulations with regard to individualapplications used in the organization.

(3) Product-level Policy

A product-level policy describes specific “operating procedure includingmethods” to be used for protecting information assets and the nature ofresources (security products and operating systems) and settingsthereof. The executive-level policy describes a policy and managementrules, whereas the product-level policy refers to details of hardwareand software. On the basis of the “principles” provided by theexecutive-level policy and the “specifications” provided by thecorporate-level policy, there is provided a specific “method” forembodying protection of information assets. Hence, the product-levelpolicy includes descriptions regarding implementation of specifictechnology.

The product-level policy includes descriptions about software andhardware, as well as specific rules for operating software and hardware.

For reasons of actual job performance, there may be a case whereproducts to be used are changed. And alternate equipment maybe used forreasons of equipment failure. Liability for such circumstances orproduct standards is left to the “principles” stipulated in theexecutive-level policy or to the “regulations” stipulated in thecorporate-level policy. In other words, the executive-level policy orthe corporate-level policy must sufficiently specify measures againstthese circumstances.

So to speak, the previously-described executive-level policy states theprinciple; for example, a rule about a necessity for revoking an accessright after completion of a job requiring the access right.

The corporate-level policy states specific rules; for example, a ruleabout a necessity for controlling access by means of an operatingsystem.

In contrast, the product-level policy stipulates specific means; forexample, a stipulation stating that “Access control rule for server A isonly a member who has an authorization greater or equal to Chief ofSection in department B can access the Server A.”

Other example is “Administrator X controls an access to server A. Amember who requires access to server A for business must requestadministrator X to issue an access right. After completion of the job,the member immediately requests administrator X to revoke the accessright.”

In the present embodiment, there are two product-level policies.

A first-level product policy describes settings of individual equipmentconstituting the information security system in natural language, as arethe executive-level policy and the corporate-level policy. The foregoingexamples belong to the first-level product-level policy.

A second-level product policy describes settings of individual equipmentconstituting the information security system in specific language usedin specific equipment. In other words, a second-level product policy isa script file stating settings of specific systems. More specifically,the second-level product-level policy describes a setting script file ofan individual system (including both hardware and software). Therefore,the second-level product-level policy can be used for setting a system,in its present form. In the present embodiment, a specific script fileof an individual system is prepared as a product-level security policy.Accordingly, there are yielded an advantage of alleviating laborrequired for actually setting firewalls or routers.

Next, there is examined and analyzed a difference existing between thethus-prepared security policy draft, realities of an information system,and a method of operating the information system. Inspection andanalysis to be performed are made up of the following.

A security policy draft is prepared on the basis of inquiries andanswers thereto. In this process, variations or contradiction betweenanswers may arise. Moreover, answers are not necessarily correct.

For these reasons, the following operations are performed duringinspection and analysis.

First, answers are examined as to whether or not contradiction arisesamong a plurality of answers. Further, there is performed a comparisonbetween the security policy draft and an information system depictedfrom answers acquired by means of interviews. A comparison is madebetween the security policy draft and the actual information systemwhich has been verified through inspection, thereby detecting adifference.

An information system is actually inspected through use of an analyzer,which is an expert system. FIG. 7 is a block diagram showing theconfiguration of an analyzer 30. As can be seen from the drawing, theanalyzer 30 has contradiction inspection means 32 for inspecting whetheror not contradiction arises in a group of answers. An inspection resultis supplied to contradiction output means 40.

The contradiction output means 40 outputs the inspection result to theoutside in the form of an interview result contradiction report.

Contents of the interview result contradiction report are supplied tomatching means 41. In a case where a contradiction between answers isfound, the matching means 41 performs the operation that the userselects from the two operations provided below.

(1) On the basis of job specifications of the members, the most probableanswer is estimated and displayed before the user. The User can adoptthe estimated probable answer.

(2) An interview is conducted again with regard to a contradiction, orrealities of the information system are actually investigated.Alternatively, both conduct of a re-interview and actual inspection ofan information system are desirably performed.

Matched results (i.e., answers obtained as a result) of the intervieware supplied to a virtual information system establishment means 34.

On the basis of a group of matched answers, the virtual informationsystem establishment means 34 virtually establishes an informationsystem for the organization. The configuration and operation of theinformation system established by the virtual information systemestablishment means 34 are supplied to difference output means 38.

The analyzer 30 has real system input means 36 for entering theconfiguration and operation of an actual information system of theorganization. The configuration and operation of a real system enteredby way of the real system input means 38 are supplied to the differenceoutput means 38.

As mentioned above, the virtual information system is established on thebasis of only interview results. Therefore, so long as the virtualinformation system which has been verified through use of an actualinformation system is compared with a security policy draft, points ofthe actual information system which are to be amended can be ascertainedmore clearly.

The more accurate an actual inspection conducted for the purpose ofverification, the more preferable an inspection result. Investigation ofthe entire information system consumes much time and effort and makesinterviews meaningless.

For these reasons, investigation of an actual information system isperformed as a supplement to the answers obtained through theinterviews. An efficient way of attaining this is to verify the virtualinformation system and analyze a difference between the thus-verifiedinformation system and the security policy.

For example, emphasizing investigation of a contradiction betweenanswers is preferable. An alternative is emphasizing investigation of aninquiry for which a member (i.e., interviewee) could not answer due toforgetfulness.

The extent to which an investigation is to be performed should bedetermined on the basis of a required accuracy, time limit, and costs.The thus-determined difference is output as an analysis report.

Further, a security policy draft is supplied to the difference outputmeans 38. By means of the foregoing configuration, the difference outputmeans 38 performs the following two comparison operations, therebydetecting and outputting respective differences.

(1) Analysis of a difference between a security policy draft and theresult of an interview.

(2) Analysis of a difference between a security policy and an interviewresult which has been verified by means of actual inspection.

Through analysis of a difference stated in (1), a security policy draftis compared with the information system established by the virtualinformation system establishment means 34. Both the security policydraft and the information system are prepared on the basis of results(answers obtained as a result) of interviews conducted with the members.Therefore, it is possible that no substantial difference is found as aresult of comparison.

For example, it will be possible that answers to interviews state that“a password is unlimitedly valid”. But, the security policy is notallowed to make a password unlimitedly valid. Expiration of a passwordis a fundamental requirement of the security policy. A security policywithout such a requirement does not merit being called a securitypolicy.

For this reason, a difference can exist between a security policy draftand interview results. A detected difference is output as an analysisreport.

By means of this analysis report, portions of interview results whichare to be amended in terms of security policy can be found.

During analysis of a difference stated in (2), a security policy draftis compared with the established virtual information system which hasbeen verified by means of actual inspection.

Either comparison (1) or (2) or both may be performed. Preferably, if aninsufficient result is obtained as a result of implementation ofcomparison (1), comparison (2) is performed.

Preferably, higher-priority portions are subjected to actual inspection,in consideration of the priority determined as a result of step 2 (S1-2in FIG. 1) inspection and analysis to be described later.

FIG. 5 shows a flowchart representing processing pertaining to step 2.The flowchart shows in more detail processing pertaining to step S1-2shown in FIG. 1.

In step S5-5, an inspection is performed as to whether or not answersinclude only contradiction, through use of the contradiction inspectionmeans 32. In step S5-6, an inspection is performed as to whether or nota difference exists between a security policy draft and interviewresults, through use of the difference output means 38. Here, theinterview results comprise a virtual information system established onthe basis of answers to interviews and the virtual information systemwhich has been verified by means of actual inspection of a realinformation system.

As mentioned above, according to the present embodiment, since theanalyzer 30 shown in FIG. 7 is employed, the user can immediately becomeaware of whether or not answers include a contradiction or whether ornot a difference exists between answers and a real information system.

Here, the analyzer 30 is a so-called expert system. Further, thepreviously-described means are preferably implemented by software whichruns on a computer.

C. Step 3: System, and Actual Inspection and Analysis of operation ofthe System

Actual Inspection and Analysis

Through actual inspection and analysis, a difference obtained in stepS1-2 (FIG. 1) actual inspection and analysis is classified into one ofthree categories; that is, a difference in member assignment, adifference in operating method, and a difference in technical measures.For each of the three types of difference, countermeasures and priorityare analyzed.

Example measures for a case where a difference in network policies andthe priority of the measures will be described.

(1) Difference 1

Type of Difference: Difference in personnel assignment Details: Thenetwork policy states that an administrator of each network segment isto be clearly designated. However, network segment administrators arenot clearly designated in a real information system.

Measures: Administrators or owners are clearly allocated to respectivenetwork segments.

Priority: Immediately

(2) Difference 2

Type of Difference: Difference in technical measures

Details: The network policy states that if a password to be used foruser authentication in a network has not been used for a long period oftime, the password should be deleted. However, the real informationsystem has no system for deleting such a password.

Measures: Establish a system for deleting a password assigned to a useraccount which has not been used for 30 days.

Priority: High

As mentioned above, the first embodiment facilitates devising ofmeasures for eliminating a difference between answers given ininterviews and the real information system. Accordingly, a discrepancybetween a security policy and the real information system is easilyeliminated.

D Step 4: Adjustment of Policy and Rules

In step 3, the discrepancy between the real information system and thesecurity policy draft is clarified, and measures for eliminating thediscrepancy and the priority of the measures are also made clear. Instep 4, measures and actual work are examined.

Measures are roughly classified into two categories.

(1) Adjust the security policy draft so as to match the real informationsystem.

(2) Adjust operation rules of the real information system.

These measures will now be described in detail.

D-1 Adjustment of Security Policy Draft

As has been described, the security policy draft is called a set ofglobal guidelines. The security policy draft is prepared by means ofappropriate combination of basic items and contents for establishing astandard security policy. Several types of global guidelines havealready been known. In the first embodiment, rules and policies areextracted from the global guidelines, as required, and a security policyis drafted by use of the thus-extracted rules and polices incombination. In the drafting phase, the most rigorous global guide lineis selected from several types of global guideline, and thethus-selected guideline is taken into a security policy draft.

Thus, in terms of severity of a rule, global guide lines differ fromeach other according to type. For example, a certain global guide linedefines a password as being valid for 60 days, whereas another globalguideline defines a password as being valid 180 days.

In the drafting phase, individual rules are defined so as to comply withthe most rigorous requirements. Some of organizations may consider thatrules of a security policy draft are unacceptably rigorous. In such acase, the rules are preferably changed to less rigorous rules.

In a case where a rule for defining a single password as being valid for60 days is considered to be unacceptably rigorous, the duration ofvalidation of a password is changed to 180 days after discussions withthe organization. Thus, a rigorous rule is changed to a less rigorousrule.

In this way, so long as the severity of each rule is changed inconsideration of the result of comparison organization's intent andrigorousness of the rule, a security policy matching a real informationsystem can be established.

A security policy draft is adjusted in the manner as mentioned above.

D-2 Adjustment of Rules

On the basis of the measures described in connection with level-2inspection and analysis, operation rules of the real information systemare adjusted. Adjustment of rules means modifications to an operatingmethod and modifications to rule settings of a security system (e.g., afirewall).

E Step 5: Priority Planning

Establishment of a security policy for the real information system of anorganization is completed by step 4.

Security measures must be sequentially performed in accordance with thethus-established security policy. In step 5, measures are examined inconsideration of priority and are described in a list. Preparation ofsuch a list enables planning of future security measures, and a budgetcan also be examined on the basis of the plan. Without such a list,forecasting costs for future information security would be difficult,thus imposing difficulty in drawing up a budget.

Security measures include training for compelling members to respect asecurity policy and analysis of system logs as well as introduction andtesting of a security system.

A security policy includes monitoring of a network, auditing ofoperations on the basis of a security policy, and review of a securitypolicy.

There may be a case where a security policy must be modified inaccordance with a change in the organization's information system or achange in the operation of an information system. For this reason, thesecurity policy must be reviewed periodically.

F Step 6: Implementation of Security Enhancement Measures

On the basis of the security measures list which has been prepared instep 5 in consideration of priority, security enhancement measures areactually implemented. Security enhancement measures can be smoothlyimplemented in accordance with the list and the security policy.

In the first embodiment, processing from establishment of a securitypolicy to maintenance thereof is performed in six steps. Therefore, asecurity policy can be established and implemented stepwise and can beimplemented in consideration of organization's desires.

Second Embodiment Consideration of Field of Business

The first embodiment has described an example in which inquiries arechanged in accordance with job specifications of members belonging to anorganization. However, no particular consideration is paid to the fieldof business of an organization.

For instance, a security policy to be established in an organization inthe financial industry differs from that to be established in anorganization in the manufacturing industry.

For this reason, in the second embodiment, establishment of a securitypolicy in consideration of the field of business of an organization isput forward.

The security policy draft preparation apparatus 20 shown in FIG. 4changes inquiries in accordance with job specifications of a member. Inaddition to changes in inquiries, in the second embodiment there will bedescribed a case in which inquiries are changed in accordance with thefield of business of an organization.

FIG. 9 is a block diagram showing the configuration of a security policydraft establishment device 120 according to a second embodiment of thepresent invention.

The security policy draft establishment device 120 is substantiallyidentical with the security policy draft establishment device 20 shownin FIG. 4.

One of differences between the security policy draft establishmentdevices 20 and 120 lies in that the security policy draft establishmentdevice 120 has inquiry preparation means 122 for preparing inquiries onthe basis of the field of business of an organization to which membersto be interviewed belong.

Inquiries which vary according to field of business are stored instorage means 124 before hand. On the basis of an entered field ofbusiness, the inquiry preparation means 122 reads from the storage means124 inquiries corresponding to the field of business.

Answer archival storage means 126 operates in substantially the samemanner as does the answer archival storage means 26 shown in FIG. 4.

This configuration enables establishment of a more elaborate securitypolicy by means of preparing inquiries corresponding to the field ofbusiness of the organization.

For instance, an inquiry stating “How is a depositor list managed?” isto be prepared for an organization pertaining to the financial industry.However, generation of this inquiry for an organization belonging to themanufacturing industry is meaningless. Conversely, an inquiry stating“How is progression data pertaining to each manufacturing lot managed?”is to be prepared for an organization belonging to the manufacturingindustry. However, generation of this inquiry for an organizationbelonging to the financial industry is meaningless.

Consequently, in the second embodiment, inquiries are changed accordingto the field of business of an organization, and more detailed inquiriescan be made, so that details of an organization's information system(including operation and management of the system) can be ascertainedmore thoroughly.

Here, a change in inquiries means a change in a course of inquiries, asin the case of job specifications. More specifically, a course includinginquiries aimed at the financial industry is applied to an organizationbelonging to the financial industry. Further, a menu including inquiriesaimed at the manufacturing industry is applied to an organizationbelonging to the manufacturing industry. In each course, the nextinquiry to be submitted is changed in accordance with the answersubmitted by a member in response to the preceding inquiry, as in thecase of the first embodiment.

A draft preparation means 128 shown in FIG. 9 is essentially identicalwith the draft preparation means 28 shown in FIG. 4. On the basis ofanswers responding to more detailed inquiries prepared by the inquirypreparation means 122, the draft preparation means 128 prepares asecurity policy draft. Consequently, as mentioned previously, a moredetailed security policy draft can be prepared.

Operation required for preparing a security policy draft according tothe second embodiment is substantially identical with that described inthe flowchart shown in FIG. 5.

A difference between the operation employed in the second embodiment andthat described in connection with the first embodiment lies in that instep S5-1 the field of business of an organization is supplied to theinquiry preparation means 122, as in the case of job specifications of amember. As a result, the inquiry preparation means 122 can prepareappropriate inquiries on the basis of the job specifications of membersand the field of business of an organization.

In the second embodiment, inquiries are prepared in consideration of thefield of business of an organization. Hence, an organization'sinformation security system can be ascertained in more detail through aninterview. Consequently, establishment of a more detailed securitypolicy becomes feasible.

Although the above description has described an example in whichinquiries are changed according to the field of business of anorganization, inquiries may be changed according to the scale of anorganization.

In the above description, a change in the course of inquiries has beentaken as an example change in inquiries. However, methods of other typescan be employed. For instance, it is desirable to have determined abasic framework of inquiry statements in advance and to change terms inthe inquiry statements in compliance with the field of business of anorganization. More specifically, there is a conceivable method in which,although “president” is used in inquiry statements aimed at generalcorporations, the term “president” is switched to “bank president” inthe case of an inquiry statement being made to a bank.

Third Embodiment Consideration of Recommendations and Regulations in aSpecific Industry

In the example described in connection with the first embodiment, asecurity policy is established on the basis of global guidelines (stepS5-4). In many cases, global guidelines are prepared in consideration ofa specific objective. However, the global guidelines are generallyconstructed so that they may be used for general purpose.

In contrast to these general-purpose global guidelines, recommendationsand regulations within a specific industry are known. In contrast withglobal guidelines, the recommendations and regulations clearly statethat they are aimed at a specific industry. There are many cases whererecommendations and regulations refer to information security, andutilization of recommendations and regulations during establishment of asecurity policy as in the case of global guidelines is desirable.

For example, Japanese FISC (The Center for Financial IndustryInformation Systems) lays down safety provisions and prevalence of asecurity policy for ensuring security. FISC publishes a journal titled“Safety Provision Standards for Computer Systems in FinancialInstitutions.”

In a third (this) embodiment, when a security policy aimed at thefinancial industry is established, there is proposed establishment of asecurity policy on the basis of “Safety Provision Standards for ComputerSystems in Financial Institutions” as well as on the basis of globalguidelines. As a result, in the field of a specific industry, a securitypolicy for the industry is established on the basis of recommendationsand regulations focused on the industry. Hence, establishment of a moreelaborate security policy becomes feasible.

The security policy draft preparation apparatus which utilizesrecommendations and regulations aimed at a specific industry shown inFIG. 9 in connection with the third embodiment. FIG. 9 is a blockdiagram showing the configuration of a security policy draft preparationapparatus 220 according to the third embodiment. As illustrated, thesecurity policy draft preparation apparatus 220 is substantiallyidentical in configuration with the security policy draft preparationapparatus 120 shown in FIG. 8. The difference between them lies in thatinformation concerning the field of business of an organization issupplied to draft preparation means 228 as well as to inquirypreparation means 222. On the basis of the field of business of anorganization, the draft preparation means 228 selects global guidelinesto be used for preparing a security policy draft. The number of globalguidelines to be selected is not limited to one; there may be a casewhere two or more global guidelines maybe selected. Furthermore, theconstruction shown in FIG. 9 has features as follows.

First, a point of novelty of the third embodiment lies in thatrecommendations and regulations which are aimed at a specific industryand are to be displayed before the users. The users can select anyrecommendations and regulations on the basis of the industry of anorganization. For example, in the field of the financial industry,preparation of a security policy (draft) utilizing recommendations andregulations aimed at the financial industry becomes feasible through theforegoing operations.

Second, information concerning recommendations and regulations aimed ata specific industry is stored in a storage means 224 in the same manneras is information concerning global guidelines. By means of thethus-stored information, the inquiry preparation means 222 can prepareinquiries in compliance with the recommendations and regulationsestablished for the industry to which an organization pertains. Inaccordance with the thus-stored information, the draft preparation means228 enables establishment of a security policy on the basis of therecommendations and regulations established for the industry to which anorganization pertains.

Operation required for preparing a security policy draft according tothe third embodiment is essentially identical with that described inconnection with the flowchart shown in FIG. 5. Differences are asfollows:

First, instep S5-1 the field of business of an organization is suppliedto the inquiry preparation means 222, and inquiries complying with therecommendations and regulations aimed at the industry to which anorganization pertains are prepared. If the user didn't select the suchrecommendations or regulations displayed, then inquiries are prepared onthe basis of global guidelines, as in the case of the first throughsecond embodiments. And, if such recommendations or regulations are notpresent, inquiries are prepared on the basis of global guidelines, as inthe case of the first through second embodiments, too.

Second, instep S5-4 the field of business of an organization is suppliedalso to the draft preparation means 228. The draft preparation means 228prepares a security policy draft in compliance with the recommendationsand regulations aimed at the industry to which the organizationpertains. If the user didn't select such recommendations or regulationsdisplayed, a security policy draft is prepared on the basis of globalguidelines, as in the case of the first through second embodiments. And,if such recommendations or regulations are not present, a securitypolicy draft is prepared on the basis of global guidelines, as in thecase of the first through second embodiments, too.

For example, an inquiry stating “Do you have personnel responsible for atrunk network?” is prepared in accordance with global guidelines.However, particularly in the case of the financial industry, an inquirystating “Do you have personnel responsible for an ATM (automatic tellermachine) network” is prepared in accordance with the “Safety ProvisionStandards for Computer Systems in Financial Institutions” set forth.

Such an inquiry is prepared by means of the technique of “changing aninquiry according to field of business” mentioned in connection with thesecond embodiment. For example, if the field of business of anorganization is the financial industry, an inquiry complying with the“Safety Provision Standards for Computer Systems in FinancialInstitutions” is prepared and used for an interview. An expert systemwhich prepares such an inquiry can be configured, by means of utilizingknowledge-based information including information about the “SafetyProvision Standards for Computer Systems in Financial Institutions.”

Establishment of a security policy by use of such a technique enablesestablishment of a more elaborate security policy.

Overlap Between Items

In connection with items which do not appear in global guidelines andappear in only the recommendations and regulations aimed at a specificindustry, it goes without saying that a security policy is establishedon the basis of the recommendations and regulations.

Conversely, in connection with items which appear in only globalguidelines and not in the recommendations and regulations aimed at aspecific industry, a security policy is established on the basis ofglobal guidelines, as in the case of the first embodiment.

Further, in connection with items which appear in global guidelines andin the recommendations and regulations aimed at a specific industry,establishment of a security policy on the basis of the recommendationsand regulations is desirable.

Fourth Embodiment Designation of Global Guidelines by User

Establishment of a security policy based on global guidelines orrecommendations and regulations aimed at a specific industry has beendescribed thus far.

It is considered that a user may desire to establish a security policyon the basis of a certain global guideline. For example, in a certainnation (e.g., the U.S.), a specific global guideline (e.g., COBIT) hasalready been utilized as a defacto standard global guideline (COBIT willbe described later). Against this backdrop, there are many cases whereestablishment of a security policy on the basis of this specific globalguideline (e.g., COBIT) is desirable.

In the fourth embodiment, there is proposed construction of a globalguideline to be utilized in establishing a security policy such that auser can designate the global guideline explicitly.

FIG. 10 is a block diagram showing the configuration of a securitypolicy draft preparation apparatus 320 according to the fourthembodiment. As illustrated, information concerning the global guidelinedesignated by the user is supplied to an inquiry preparation means 322and to a draft preparation means 328.

The inquiry preparation means 322 prepares an inquiry (or inquiries) onthe basis of job specifications of a member. In the fourth embodiment,during preparation of inquiries the inquiry preparation means 322prepares inquiries complying with the global guideline designated by auser.

The draft preparation means 328 prepares a security policy draft on thebasis of the global guideline prescribed by the user.

Operation required for preparing a security policy draft according tothe fourth embodiment is substantially identical with that shown in FIG.5 exclusive of the following points of difference.

A first difference lies in that in step S501 an inquiry complying withthe global guideline prescribed by the user is prepared.

A second difference lies in that in step S5-4 a security policy draftcomplying with the global guideline prescribed by the user is prepared.

In the fourth embodiment, a global guideline to be used for establishinga security policy can be selected. Inquiries are prepared in compliancewith the global guideline selected by the user, and a security policydraft is prepared on the basis of answers to the inquiries.Consequently, establishment of a security policy complying with theglobal guideline desired by the user becomes feasible.

For example, if a user has selected BS7799 to be described later, asecurity policy complying with (or to comply with) BS7788 can beestablished.

Global Guidelines

Examples of widely known global guidelines are provided below.

(1) BS7799

BS7799 was established by the BSI (British Standards Institution) in1995. BS7799 prescribes fundamental management items (control) whichsummarize best practices in connection with information security.

When information assets must be protected regardless of the scale of anorganization, in connection with an administration, an NGO (NonGovernmental Organization), or an NPO (Non Profit Organization), to saynothing of an industry, standards of BS7799 are to be used as a code andreference of one type when the range of information security isclarified.

Hence, the standards of BS7799 have the same objective as that ofISO/IEC 13335 “IT security management guidelines (GMITS)” or that ofISO/IEC 15408 “IT security evaluation standards,” which will bementioned later. BS7799 differs from the global guidelines in thefollowing two points.

First, other regulations specify details of security techniques while ITis taken as an object. In contrast, BS7799 provides comprehensive guidesand references pertaining to a management system. Second, the object ofBS7799 is not limited to an electronic medium. Various informationassets, such as paper mediums, are taken as objectives of security.

Recently, BS7799 has gained international attention. As a matter ofcourse, detailed individual control of information security isimportant. The reason for this is attributable to the followingperception. As can be seen in requirements for system standards laid outin ISO 9000, a perception that a system for creating a management plan(through analysis of risk), monitoring distribution and management ofrequired resources, and objectively reviewing the plan is effective forinformation security management is said to have become widespread.

BS7799 is constituted of two parts; that is, a first part relating tostandards for implementing information security management, and a secondpart relating to specifications of an information security system. Thefirst part describes best practices and provides guidelines forproviding management advice. The second part describes development of amanagement framework and references for “system audit.” The first part(BS7799-1) is now adopted by ISO as ISO17799.

(2) GASSP (Generally Accepted System Security Principles) is intendedfor promoting good practice and alleviating risk and influence of risk.GASSP employs an information security policy laid down by OECD in theform of a hierarchical model and extends details of the policy.

A policy which is in the highest hierarchical level and serves as abasic policy is called pervasive principles and posts a target securityconcept.

The policy of the next hierarchical level is called broad functionprinciples and states specific implementation of the pervasiveprinciples.

The policy of the next lower hierarchical level is called detailedprinciples and describes detailed security guidelines corresponding toan environment.

The policies describe management of privacy of an individual and that ofan organization, as well as guidelines relating to management andproducts.

(3) GMITS

GMITS (The Guidelines for the Management of IT Security) is prepared byISO (International Organization for Standardization). The GMITS isintended for setting standards pertaining to operation, management, andplanning of the security of information technology.

GMITS consists of five parts:

Part 1: Concepts and models for IT Security

A general description of information security is provided in Part 1.

Part 2: Managing and Planning IT Security

Part 2 describes an operation analogous to a security life cycle.

Part 3: Techniques for the Management of IT Security

Part 3 describes details of the descriptions provided in Part 2.

Part 4: Selection of Safeguard

Part 4 describes the selection of security measures on the basis of thesecurity rules.

Part 5: Management Guidance on Network Security

Part 5 is draft version such as preliminary revision, as far as now.

(4) ISO/IEC 15408 is a “Collection of Requirements” into which arecompiled requirements pertaining to a security function which productsor a system using information technology is to have (i.e., functionalrequirements) and requirements for seeking ascertainment of reliableimplementation of a security function during the process of proceedingfrom the design phase to commercialization of a product (guaranteerequirements).

(5) COBIT

COBIT (Control Objectives for Information and Related Technology) showsgood practices of security suitable for a framework of a processextending over a plurality of fields and provides a manageable logicalstructure. The good practices are prepared on the basis of the consentof many experts. COBIT is a global guideline designed for serving inresolving a business risk or a gap between the necessity of control anda technical problem.

(6) EU Instructions

Here, EU instructions are officially known as “Instructions issued bythe European Parliament and Board with regard to protection of anindividual in connection with personal data processing and to freetransfer of personal data.” The EU instructions specify general rulesconcerning the legitimacy of personal data processing. Morespecifically, the EU instructions specify the principle of data quality,a principle on grounds for legitimacy of data processing, information tobe given to a person whose personal data are to be processed, and theright of the person to access his/her own data.

Fifth Embodiment Designation of Rigorousness

In the embodiments which have been described thus far, the rigorousnessof a security policy has been adjusted manually, namely by user'soperation in step S1-4 shown in FIG. 1.

However, when the rigorousness of a desired security policy has beendetermined beforehand, it is desirable to reflect the desiredrigorousness on a security policy from the phase of preparation ofsecurity policy draft in step S1-2.

In step S4-1 shown in FIG. 1, the rigorousness of each rule has beenartificially adjusted. However, if a user can define an indicator ofrigorousness, specify the rigorousness of a security policy using theindicator, and automatically adjust the rigorousness of each rule on thebasis of the thus-prescribed rigorousness, convenience will be affordedto the user.

The fifth embodiment is characterized in that the user can objectivelyspecify the rigorousness of a security policy in steps S1-2 or S1-4shown in FIG. 1.

In order to implement designation by the user of rigorousness of asecurity policy, in the sixth embodiment five types of indicatorsrepresenting the rigorousness of a security policy are defined. Theindicators are arranged in descending order of rigorousness. The“highest level” indicator has the highest level of rigorousness, and an“educational institution level” has the lowest level of rigorousness.

(1) Highest Level: representing the level of security rigorousnessconsidered to be required by a government or a military organization;

(2) Financial Level: representing the level of security rigorousnessconsidered to be required by a financial institution;

(3) International Level: representing the level of security rigorousnessconsidered to be required by international enterprises;

(4) General Level: representing the level of security rigorousnessconsidered to be required by domestic enterprises;

(5) Educational Institution Level: representing the level ofrigorousness considered to be required by an educational institution.

Here, examples of five levels of security rigorousness are illustrated.As a matter of course, three levels of security rigorousness; namely, ahighest level of security rigorousness, a medium level of securityrigorousness, and a lowest level of security rigorousness, may beadopted.

5-A Establishment of Security Policy for which Rigorousness has beenDesignated

Utilization of indicators of rigorousness of a security policy in stepS1-2 (FIG. 1) will now be described. When preparing a security policydraft in step S1-2 (FIG. 1), the user selects a desired securityrigorousness from the above-described five levels of securityrigorousness and instructs the selected level of security rigorousnessto the draft preparation apparatus 20.

By means of the indicator of rigorousness, the user extracts from globalguidelines a regulation having a desired rigorousness, thereby enablingpreparation of a security policy draft of rigorousness desired by theuser. Many of the global guidelines include indicators representing therigorousness of a security policy. Hence, preparation of a securitypolicy draft of desired rigorousness is feasible.

Extraction operation is to incorporate knowledge concerning therigorousness of each global guideline into knowledge-based information,and to extract an appropriate rule from global guidelines on the basisof an indicator prescribed by the user by utilization of theknowledge-based information. Knowledge about rigorousness of each ofglobal guidelines is knowledge produced by linking the five levels ofsecurity rigorousness with regulations corresponding to the indicatorsof rigorousness. Through use of such knowledge, regulationscorresponding to a given indicator of rigorousness can be selected fromthe global guidelines.

FIG. 11 is a block diagram showing the configuration of a securitypolicy draft preparation apparatus 420 according to a fifth embodimentof the present invention. As illustrated, an indicator of rigorousnessprescribed by the user is delivered to draft preparation means 428 inthe security policy draft preparation apparatus 420.

On the basis of the indicator of rigorousness prescribed by the user,the draft preparation means 428 prepares a security policy draft. Asmentioned above, a preparation operation is effected to use theknowledge-based information knowledge about a policy matching theprescribed indicator of rigorousness, and to extract from globalguidelines a policy matching an indicator of rigorousness on the basisof the knowledge-based information. Briefly, this operation correspondsto pre-arrangement of a rule concerning setting of a policy inconnection with a certain indicator of rigorousness (in theknowledge-based information).

Operation required for establishing a security policy according to thefifth embodiment is essentially identical with that described inconnection with the flowchart shown in FIG. 5, exclusive of thefollowing two points:

First, in step S5-1 the inquiry preparation means 422 prepares inquirieson the basis of the level of rigorousness prescribed by the user. “Levelof rigorousness” has a smaller effect on inquiries than do otherparameters (i.e., a field of business). In general, as the level ofrigorousness is increased, prepared inquiries concern items of greaterdetail. Further, as the level of rigorousness is decreased, inquiriesabout detailed items are newly prepared.

It is considered that the rigorousness of a security policy is reset toa higher level after establishment of the security policy. In this case,a higher level of rigorousness prescribed by the user is supplied alsoto inquiry preparation means 422. Hence, the inquiry preparation means422 prepares inquiries concerning items of greater detail. Consequently,there may arise a case where inquiries are provided to members (i.e.,interrogees) of an organization once again in part.

If the level of rigorousness of a security policy is reset to a lowerlevel, there is usually no chance of generating new inquiries.Consequently, in this case, a new security policy can be establishedimmediately without implementation of inquiries.

Second, in step S5-4 the indicator of rigorousness prescribed by theuser is supplied to the draft preparation means 428, and the draftpreparation means 428 prepares a security policy draft on the basis ofthe indicator of rigorousness.

The operation required for establishing a security policy according tothe fifth embodiment is essentially identical with that described inconnection with the flowchart shown in FIG. 5, exclusive of theabove-described two points.

5-B Adjustment of Security Policy for which Level of Rigorousness hasbeen Designated

In the fifth embodiment, adjustment of a security policy isautomatically effected in step S1-4 (FIG. 1). FIG. 12 is a block diagramshowing the configuration of a security policy rigorousness adjustmentapparatus 500 for effecting adjustment of such a security policy. Asillustrated, the security policy rigorousness adjustment apparatus 500comprises rigorousness inspection means 502, rigorousness adjustmentmeans 504, storage means 506, and merging means 508.

The rigorousness inspection means 502 supplies a security policy draftproduced by means of the operations up to step S1-3 (FIG. 1) On thebasis of an indicator of rigorousness prescribed by the user, therigorousness inspection means 502 inspects so as to determine whethereach of the rules in a security policy draft matches the rigorousnessprescribed by the user. If the result of inspection shows that each ofthe rules matches the prescribed rigorousness, the rules are output intheir present forms. If some of the rules fail to match the prescribedrigorousness, the rules are supplied to rigorousness adjustment means504. On the basis of the indicator of rigorousness prescribed by theuser, the rigorousness adjustment means 504 rewrites the thus-suppliedrules and outputs rewritten rules. Information pertaining to correlationbetween global guidelines, respective rules in the global guidelines,and an indicator of rigorousness is stored in the storage means 508.

FIG. 13 shows a flowchart representing the operation of the securitypolicy rigorousness adjustment apparatus 500.

In step S13-1, a security policy draft is supplied to the rigorousnessinspection means 502.

In step S13-2, the rigorousness inspection means 502 inspects so as todetermine whether each of rules in the supplied security policy draftmatches the indicator of rigorousness prescribed by the user. If therules match the indicator of rigorousness, processing proceeds to stepS14-3 to be described later. In contrast, if some of the rules fail tomatch the indicator of rigorousness, processing proceeds to step S14-4.In step S13-4, the rules which fail to match the indicator ofrigorousness are changed so as to match the indicator, by means of therigorousness adjustment means 504 and by utilization of informationpertaining to correlation between the rules provided in the globalguidelines and the indicator of rigorousness, which information isstored in the storage means 506. The information pertains to anindicator of rigorousness corresponding to each of the rules provided inthe global guidelines. Utilization of the information enablesascertainment of rules matching the indicator of rigorousness prescribedby the user. The thus-ascertained rules are extracted from the globalguidelines stored in the storage means 506. Rules which fail to matchthe indicator of rigorousness are replaced with the thus-extractedrules.

In step S13-3, the merging means 508 merges the rules that have from thebeginning matched the indicator of rigorousness with the altered rules,and outputs the thus-merged rules.

Thus, each of the rules provided in the security policy draft can bematched with an indicator of rigorousness prescribed by the user.

The rigorousness inspection means 502, the rigorousness adjustment means504, and the merging means 508 according to the fifth embodiment arepreferably implemented in the form of software which runs on a computer.Further, the storage means 506 is preferably embodied as a storagemedium, such as a hard disk drive, CD-ROM, or DVD.

Relationship Between Rule and Indicator of Rigorousness

A more detailed explanation is given of a case where in step S13-2 nomatch has been determined to exist between the rigorousness of rules andthe indicator of rigorousness prescribed by the user.

If the rigorousness of the rules is of lower level than the rigorousnessindicated by the indicator, the rules are determined to fail to matchthe indicator of rigorousness. The rules are replaced with rules ofhigher rigorousness level.

For example, if the rules are of an educational institution level andthe rigorousness prescribed by the user is of a financial level, therules are replaced with rules of a financial level. Moreover, a periodof validity of a password is shortened from 120 days to 30 days. Thus,rules are replaced with more rigorous rules.

If rules are higher in level than the indicator of rigorousness, therules are determined to fail to match the indicator of rigorousness. Therules are replaced with rules of lower rigorousness level.

If rules are at a highest level of rigorousness and the level ofrigorousness prescribed by the user is at a general level, the rules arereplaced with rules of general level of rigorousness. For example, inthe case of rules of highest level of rigorousness, a period of validityof a password is one week. If the level of the rules is too rigorous,the user prescribes a general level of rigorousness. As a result, theperiod of validity of a password is extended to 100 days, and the rulesare replaced with rules of lower level of rigorousness.

Sixth Embodiment Selection of Range of Establishment

In the embodiments which have been described thus far, a security policyis prepared for the entirety of an organization. However, it isconsidered that there are many desires to establish a security policyfor only a portion of the system of the organization.

The user prescribes a range within which a security policy is to beestablished. If an apparatus and method for establishing a securitypolicy are adopted on the basis of the range, the user can establish asecurity policy within only an area where establishment of a securitypolicy is desired, thus affording convenience to a user.

FIG. 14 is a block diagram showing the configuration of a securitypolicy draft preparation apparatus 520. The thus-illustrated securitypolicy draft preparation apparatus 520 is identical in configurationwith the security policy preparation apparatus 320 described byreference to FIG. 10 and with the security policy preparation apparatus420 described by reference to FIG. 11.

The two following points of difference are present.

-   -   A range of establishment of a security policy prescribed by the        user is supplied to the draft preparation means 528.    -   A range of establishment of a security policy prescribed by the        user is supplied to the inquiry preparation means 522.

By means of such a configuration, the draft preparation means 528establishes a security policy within a range prescribed by the user, andhence the user can efficiently establish a security policy within arequired range.

Further, the inquiry preparation means 522 prepares only inquiries aboutthe range prescribed by the user, and hence useless inquiries areobviated, thus enabling conduct of efficient inquiries. Here, provisionof the range prescribed by the user to the inquiry preparation means 522is not inevitable. The reason for this is that the number of inquiriesdoes not affect establishment of a security policy. If inquiries areirrelevant to the range prescribed by the user, an interviewer can skipthe inquiries at the time of an interview. Consequently, supply of therange prescribed by the user to the inquiry preparation means 522 is notindispensable.

The user can specify the range of establishment of a security policy bymeans of various methods.

(1) First, the user can specify the range of establishment of a securitypolicy on a product level. For example, if the user desires to establisha security policy concerning only “VPN,” the user can establish asecurity policy concerning VPN by means of prescribing “VPN.” By meansof prescribing specific hardware or software, such as a WEB, an E-mail,or a firewall, or specific functions thereof, the user can specifyestablishment of a security policy concerning specific hardware orsoftware.

Next, the user prescribes the range of establishment of a securitypolicy according to an object of use of the security policy. Forexample, the user desires to establish a security policy only an“outside subcontract,” a security policy can be established with regardto an area which is turned over to an outside contractor. The user canspecify establishment of a security policy within a range of object ofuse or purpose, by means of prescribing the object of use of or purposeof electronic trading (E commerce) or a data center.

(3) Further, the user can specify the range of establishment of asecurity policy from the viewpoint of organizational structure. Forexample, if the user desires to establish a security policy inconnection with only the “home office,” the user can establish asecurity policy pertaining to the home office, by means of prescribingthe “home office.” If the user prescribes branch offices, a securitypolicy pertaining to branch offices can be established. Moreover, theuser can establish a security policy pertaining to a network or asecurity policy pertaining to a host by means of prescribing a networkor a host.

Operation required for establishing a security policy according to theseventh embodiment is essentially identical with that shown in FIG. 5,exclusive of the following points of differences.

-   -   First, in step S5-4 shown in FIG. 5 a security policy draft is        established on the basis of the range prescribed by the user.    -   Second, in step S5-1 shown in FIG. 5 inquiries pertaining to        only the range prescribed by the user are prepared.

The second point of difference is not inevitable. As has been described,even when inquiries fall outside the range prescribed by the user, suchinquiries do not directly pose a problem on establishment of a securitypolicy. Further, it is also considered that an interviewer skips suchinquiries, as required. Hence, there is no problem even when inquiriesare identical with those described in connection with the firstembodiment.

The draft preparation means 528 shown in FIG. 14 establishes a securitypolicy draft. To this end, knowledge-based information concerning rangeswithin which the rules provided in the global guidelines fall isestablished in the storage means 524. More specifically, in the storagemeans 524 are stored knowledge-based information concerning whetherrules fall within the range of “home office” or the range of “branchoffices.” By reference to the knowledge-based information, the draftestablishment means 528 establishes a security policy (draft) throughuse of only the rules falling within the range prescribed by the user.

In this way, in the sixth embodiment, a security policy (draft) can beprepared within the range prescribed by the user.

The sixth embodiment has described an example in which the inquirypreparation means 522 prepares inquiries in accordance with jobspecifications of a member (or interviewee), as in the case of the firstembodiment (FIG. 14). Here, the inquiry preparation means 522 may bearranged so as to provide a member with general inquiries regardless ofhis job specifications.

Seventh Embodiment Programs and a Recording Medium

Preferably, the means which have been described thus far are actuallyembodied as programs and a processor executing the program.

FIG. 15 shows a computer 602 having a hard disk drive 600 havingprograms stored therein.

Programs for performing operations of the inquiry preparation means 12,the answer archival storage means 16, and the draft preparation means 18described in connection with the first through seventh embodiments arestored in the hard disk drive 600. As a result of a processor of thecomputer 602 executing the programs, the computer 602 enablesimplementation of operations corresponding to the inquiry preparationmeans, the answer archival storage means, and the draft preparationmeans.

Programs for effecting operation of the contradiction inspection means32, that of the contradiction output means 40, that of the matchingmeans 41, that of the virtual information system establishment means 34,that of the difference output means 38, and that of the real systeminput means 36, all the means being shown in FIG. 7, are stored in thehard disk drive 600. By means of the processor of the computer 602executing these programs, the computer 602 can effect operation of thecontradiction inspection means 32 and operations of the other means.

Preferably, the storage means 14 described in connection with theembodiments is provided in the hard disk drive 600.

An operator of the computer 602 launches the foregoing programs, therebygenerating inquiries and entering, by way of a keyboard 604, answers tothe inquiries from members of an organization. As a matter of course,answers may be entered by use of an input device such as a mouse.

FIG. 15 shows an example in which programs run on the computer 602 ofso-called standalone type. However, programs may be supplied over anetwork.

For example, there is preferably adopted an arrangement in which aclient computer executes or downloads the foregoing programs stored in aserver each time execution of the programs is required.

Security Policy Draft

The first through eighth embodiments have primarily describedpreparation of a security policy draft. Needless to say, the securitypolicy draft preparation apparatus can be used for establishing asecurity policy which is not a draft. In other words, the securitypolicy draft preparation apparatus doubles as a security policyestablishment apparatus, and the method of preparing a security policydraft doubles as a method of establishing a security policy. The draftpreparation means doubles as a security policy establishment means.

As has been described above, according to the present invention,inquiries are submitted to members of an organization, and a securitypolicy is established on the basis of the resultant answers.Accordingly, a security policy can be established easily.

Further, a security policy is established stepwise, and hence flexibleestablishment of a security policy can be implemented while taking intoconsideration the organization's desires (e.g., a budget or the like).

According to the present invention, the state of information security ofan organization is determined, so that the organization can be comeaware of the importance of information security.

Since security measures can be provided together with the prioritythereof, planning of measures for future information security becomeseasy. Moreover, the organization can discuss a budget on the basis ofthe plan.

According to the present invention, a security policy can be establishedin consideration of line of business.

According to the present invention, the user can specify globalguidelines to be used for establishing a security policy.

According to the present invention, a security policy is establishedthrough use of recommendations and regulations aimed at a specific lineof business other than global guidelines. Hence, an elaborate securitypolicy more preferably matching line of business can be established.

According to the present invention, the user can specify the level ofrigorousness of security policy through use of an indicator ofrigorousness. Further, according to the present invention, the level ofrigorousness of a security policy can be adjusted through use of anindicator of rigorousness.

According to the present invention, the range of establishment of asecurity policy can be explicitly prescribed by the user. As a result,establishment of a security policy for a portion of an organization canbe effected.

1. A method of generating a security policy for an organization, comprising: receiving a field of business identifier; receiving an indicator of rigorousness; generating security rules from a stored knowledge base based on the indicator of rigorousness; generating inquiries regarding the security rules based on the field of business identifier and the indicator of rigorousness; transmitting the generated inquiries to at least one user; receiving input from the at least one user in response to the transmitted inquiries; adjusting the security rules based on the received input and the indicator of rigorousness; and outputting the security policy that includes the security rules, wherein the security policy includes settings of individual equipment components within the organization that implements the security policy.
 2. The method of generating a security policy according to claim 1, wherein transmitting the generated inquiries further comprises transmitting the generated inquiries to members of an organization for review and receiving input further comprises receiving input from the members of the organization.
 3. The method of generating a security policy according to claim 2, further comprising generating an information system virtual design based on the received input, the level of rigorousness and the field of business identifier.
 4. The method of generating a security policy according to claim 2, further comprising receiving job specifications of the members to receive the inquiries, wherein generating inquiries includes generating inquiries based upon the field of business identifier, the indicator of rigorousness and the received member job specifications.
 5. The method of generating a security policy according to claim 3, wherein receiving input from the members of the organization includes: storing input received from a member; comparing input from other members to the stored input; retransmitting inquiries to members if contradictory inputs are received; and storing input received from members in response to retransmitted inquiries.
 6. The method of generating a security policy according to claim 5, further comprising: assigning weights to contradictory inputs according to job specifications of the members if contradictory inputs are received from members in response to retransmitted inquiries; and displaying an estimated response based upon the weighted contradictory inputs.
 7. The method of generating a security policy according to claim 5, further comprising: comparing the information system virtual design and a real information system design and updating the information system virtual design to correct identified differences, thereby obtaining a verified information system virtual design; and comparing the verified information system virtual design with the generated security policy draft to identify a first set of differences.
 8. The method of generating a security policy according to claim 7, further comprising: assigning priorities to identified differences within the first set of differences; and generating a schedule for resolving the first set of differences based upon the priorities assigned.
 9. The method of generating a security policy according to claim 7, further comprising generating an assessment of a security state of the organization based upon the first set of differences and the received level of rigorousness.
 10. The method of generating a security policy according to claim 1, wherein the generated security policy draft includes recommendations for regulations aimed at a specific line of business.
 11. The method of generating a security policy according to claim 1, wherein the stored knowledge base includes a set of global guidelines, recommendations or regulations aimed at a specific line of business.
 12. The method of generating a security policy according to claim 11, wherein the inquiries are generated based upon the global guidelines.
 13. The method of generating a security policy according to claim 1, wherein the stored knowledge base includes security rules related to at least three levels of security policy, including: executive-level security rules that describe an organization's policy concerning information security, in conformity with global guidelines; corporate-level security rules that describe an information security system embodying the executive-level information security policy; and product-level security rules that describe measures for implementing the executive-level security policy with reference to the corporate-level security policy.
 14. The method of generating a security policy according to claim 13, wherein the corporate-level security policy includes security rules for the information security system of the overall organization; and includes security rules for individual equipment components constituting the information security system of the organization.
 15. The method of generating a security policy according to claim 13, wherein the product-level security policy includes at least two types of product-level security rules, including: first-level product security rules that describe settings of individual equipment components constituting the information security system in natural language; and second-level product security rules that describe settings of individual equipment component constituting the information security system in a specific language used in each specific equipment component.
 16. An apparatus for generating a security policy for an organization, comprising: means for receiving a field of business identifier; means for receiving an indicator of rigorousness; means for generating security rules from a stored knowledge base based on the indicator of rigorousness; means for generating inquiries regarding the security rules based on the field of business identifier and the indicator of rigorousness; means for transmitting the generated inquiries to at least one user; means for receiving input from the at least one user in response to the transmitted inquiries; means for adjusting the security rules based on the received input and the indicator of rigorousness; and means for outputting the security policy that includes the security rules, wherein the security policy includes settings of individual equipment components within the organization that implements the security policy.
 17. The apparatus for generating a security policy according to claim 16, wherein the means for transmitting the generated inquiries further comprises means for transmitting the generated inquiries to members of an organization for review and the means for receiving input further comprises means for receiving input from the members of the organization.
 18. The apparatus for generating a security policy according to claim 17, further comprising means for generating an information system virtual design based on the received input, the level of rigorousness and the field of business identifier.
 19. The apparatus for generating a security policy according to claim 17, further comprising means for receiving job specifications of the members to receive the inquiries, wherein the means for generating inquiries includes means for generating inquiries based upon the field of business identifier, the indicator of rigorousness and the received member job specifications.
 20. The apparatus for generating a security policy according to claim 18, wherein the means for receiving input from the members of the organization includes: means for storing input received from a member; means for comparing input from other members to the stored input; means for retransmitting inquiries to members if contradictory inputs are received; and means for storing input received from members in response to retransmitted inquiries.
 21. The apparatus for generating a security policy according to claim 20, further comprising: means for assigning weights to contradictory inputs according to job specifications of the members if contradictory inputs are received from members in response to retransmitted inquiries; and means for displaying an estimated response based upon the weighted contradictory inputs.
 22. The apparatus for generating a security policy according to claim 20, further comprising: means for comparing the information system virtual design and a real information system design and means for updating the information system virtual design to correct identified differences, thereby obtaining a verified information system virtual design; and means for comparing the verified information system virtual design with the generated security policy draft to identify a first set of differences.
 23. The apparatus for generating a security policy according to claim 22, further comprising: means for assigning priorities to identified differences within the first set of differences; and means for generating a schedule for resolving the first set of differences based upon the priorities assigned.
 24. The apparatus for generating a security policy according to claim 22, further comprising means for generating an assessment of a security state of the organization based upon the first set of differences and the received level of rigorousness.
 25. The apparatus for generating a security policy according to claim 16, wherein the generated security policy draft includes recommendations for regulations aimed at a specific line of business.
 26. The apparatus for generating a security policy according to claim 16, wherein the stored knowledge base includes a set of global guidelines, recommendations or regulations aimed at a specific line of business.
 27. The apparatus for generating a security policy according to claim 26, wherein the inquiries are generated based upon the global guidelines.
 28. The apparatus for generating a security policy according to claim 16, wherein the stored knowledge base includes security rules related to at least three levels of security policy, including: executive-level security rules that describe an organization's policy concerning information security, in conformity with global guidelines; corporate-level security rules that describe an information security system embodying the executive-level information security policy; and product-level security rules that describe measures for implementing the executive-level security policy with reference to the corporate-level security policy.
 29. The apparatus for generating a security policy according to claim 28, wherein the corporate-level security policy includes security rules for the information security system of the overall organization; and includes security rules for individual equipment components constituting the information security system of the organization.
 30. The apparatus for generating a security policy according to claim 28, wherein the product-level security policy includes at least two types of product-level security rules, including: first-level product security rules that describe settings of individual equipment components constituting the information security system in natural language; and second-level product security rules that describe settings of individual equipment components constituting the information security system in a specific language used in each specific equipment component.
 31. A storage medium storing a set of program instructions executable on a data processing device and usable for generating a security policy for an organization, comprising: instructions for receiving a field of business identifier; instructions for receiving an indicator of rigorousness; instructions for generating security rules from a stored knowledge base based on the indicator of rigorousness; instructions for generating inquiries regarding the security rules based on the field of business identifier and the indicator of rigorousness; instructions for transmitting the generated inquiries to at least one user; instructions for receiving input from the at least one user in response to the transmitted inquiries; instructions for adjusting the security rules based on the received input and the indicator of rigorousness; and instructions for outputting the security policy that includes the security rules, wherein the security policy includes settings of individual equipment components within the organization that implements the security policy.
 32. The storage medium according to claim 31, wherein the instructions for transmitting the generated inquiries further comprise instructions for transmitting the generated inquiries to members of an organization for review and instructions for receiving input further comprises receiving input from the members of the organization.
 33. The storage medium according to claim 32, further comprising instructions for generating an information system virtual design based on the received input, the level of rigorousness and the field of business identifier.
 34. The storage medium according to claim 32, further comprising instructions for receiving job specifications of the members to receive the inquiries, wherein the instructions for generating inquiries includes instructions for generating inquiries based upon the field of business identifier, the indicator of rigorousness and the received member job specifications.
 35. The storage medium according to claim 33, wherein the instructions for receiving input from the members of the organization includes: instructions for storing input received from a member; instructions for comparing input from other members to the stored input; instructions for retransmitting inquiries to members if contradictory inputs are received; and instructions for storing input received from members in response to retransmitted inquiries.
 36. The storage medium according to claim 35, further comprising: instructions for assigning weights to contradictory inputs according to job specifications of the members if contradictory inputs are received from members in response to retransmitted inquiries; and instructions for displaying an estimated response based upon the weighted contradictory inputs.
 37. The storage medium according to claim 35, further comprising: instructions for comparing the information system virtual design and a real information system design and updating the information system virtual design to correct identified differences, thereby obtaining a verified information system virtual design; and instructions for comparing the verified information system virtual design with the generated security policy draft to identify a first set of differences.
 38. The storage medium according to claim 37, further comprising: instructions for assigning priorities to identified differences within the first set of differences; and instructions for generating a schedule for resolving the first set of differences based upon the priorities assigned.
 39. The storage medium according to claim 37, further comprising instructions for generating an assessment of a security state of the organization based upon the first set of differences and the received level of rigorousness. 